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Now Available at a Browser Near You 

Software-as-a-Service (SaaS) has been described as 
the most disruptive delivery model to ever face the enterprise 
software market for one simple reason: it works 



Qualys is the first company to deliver an on demand solution for security risk and compliance 
management. QualysGuard*' is the widest deployed security on demand platform in the world, 
performing over 150 million IP audits per year — with no software to install and maintain. 

For a free trial, go to a browser near you. 

www.qualys.com/SaaSTrial 
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Welcome to (IN)SECURE 15 
the digital security magazine 




It's February and the perfect time for another issue of (IN)SECURE. This time around we bring you the 
opinions of some of the most important people in the anti-malware industry, a fresh outlook on social 
engineering, fraud mitigation, security visualization, insider threat and much more. 

We'll be attending InfosecWorld in Orlando, Black Hat in Amsterdam and the RSA Conference in San 
Francisco. In case you want to show us your products or just grab a drink do get in touch. Expect coverage 
from these events in the April issue. 

I'm happy to report that since issue 14 was released we've had many new subscribers and that clearly 
means that we're headed in the right direction. We're always on the lookout for new material so if you'd like 
to present yourself to a large audience drop me an e-mail. 

Mirko Zorz 
Chief Editor 
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Qualys releases QualysGuard PCI 2.0 
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Qualys announced the availability of QualysGuard PCI 2.0, the 
second generation of its On Demand PCI Platform. It dramatically 
streamlines the PCI compliance process and adds new capabilities 
for large corporations to facilitate PCI compliance on a global scale. 



QualysGuard PCI 2.0 brings a new refined user interface making it 
easy to navigate through the process of scanning, remediating and e-filing customers' compliance 
status to multiple acquiring banks, (www.qualys.com) 



Open Source Vulnerability Database 2.0 

OSVDB announced a major milestone in the 
cataloging, classification, description and man- 
agement of software and hardware security vul- 
nerabilities - the release of OSVDB 2.0, a com- 
plete rewrite of the web site using Ruby on 
Rails, provides substantial performance and re- 
liability improvements for both developers and 
researchers. 



OSVDB 2.0 enhancements include: greater detail about the overall nature of a specific vulnerabil- 
ity, a "Watch List" service that provides alerts for new vulnerabilities, consolidating external blogs 
by vulnerability, and new reporting metrics, (www.osvdb.org) 
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Firestick Pico ultra-portable security USB device 




Yoggie Security Systems has introduced a unique, ultra-portable 
USB key-sized hardware-based firewall solution to protect PCs 
from malicious attacks. The Firestick Pico places a physical bar- 
rier between PCs and the Internet to ensure that threats never 
reach users' computers. It is a complete Linux-based 300 MHz 
computer with a dual flash memory mechanism that constitutes 
an 'untouchable operating system' running an independent fire- 
wall application, (www.yoggie.com) 



New GateKeeper prevents leap-frogging to unauthorized areas 



Xceedium GateKeeper 4.0 delivers patent-pending LeapFrog 
Prevention technology FIPS 140-2, Level 2 certification and 
other new feature enhancements. 

It provides first-to-market technology that allows companies to 
protect critical infrastructure by restricting technical users to 
authorized areas only. Its patent-pending technology monitors 
and enforces policy at the socket layer and tracks all activities 
for these users, (www.xceedium.com) 



Linux Shell Season 
Helmet 10,1,1.1 
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Amhorized Server — Leapfrog Attempted and Etocksd 



Biometric protection for Mac 




UPEK launched Protector Suite for Mac, software that allows 
Mac users to increase both security and convenience with the 
simple swipe of their unique finger. Protector Suite for Mac in 
combination with Eikon Digital Privacy Manager, a USB pe- 
ripheral fingerprint reader, enables Mac users to swipe their 
finger instead of typing passwords to login as well as access 
password-protected websites and secure preferences. 
(www.upek.com) 
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RedCannon KeyPoint Solo Vault USB protection 

RedCannon Security announced the RedCannon KeyPoint Solo 
Vault, a software solution to protect sensitive data stored on USB 
devices. It provides standards-based, military-grade software 
encryption that allows end-users to maintain productivity in the 
field with the assurance that the data they carry and use will not 
be compromised. KeyPoint Solo Vault extends the benefits of the 
RedCannon FlPS-certified portable encryption technology to any 

USB flash drive. The solution operates without a management server and requires no software 
installation on the host PC. (www.redcannon.com) 
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Smallest form-factor data security card 




Hifn announced Express DS 255, the industry's highest- 
performance, lowest-power and smallest form-factor data security 
card. Delivering the strongest industry-standard encryption for se- 
curing data-in-transit, the Express DS 255, easily handles today's 
encryption requirements and enables the next-generation network 
security applications. When applied to network security applica- 
tions, the Express DS 255's accelerated performance can proc- 
ess SSL, IPsec and DTLS protocols at over 400K packets per 
second up to 2 Gbps. (www.hifn.com) 



IBM Lotus Quickr file encryption solution 

New Voltage SecureFile for IBM Lotus Quickr brings infor- 
mation encryption to documents within the Lotus collabora- 
tion environment.Voltage SecureFile for IBM Lotus Quickr 
offers several key benefits to customers that have de- 
ployed the IBM collaboration environment. The product 
enables businesses to secure information work-flows, pro- 
tect the integrity of their brand reputation, ensure customer 
confidence, mitigate potential risk involved in a data breach 
and meet compliance regulations, (www.voltage.com) 
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Cisco ASA 5580 Series Adaptive Security Appliances 



Cisco announced the availability of the Cisco ASA 5580 Series Adap- 
tive Security Appliances, the company's highest-performing security 
appliance offering. The new Cisco ASA 5580 is a super-high- 
performance security platform equally well suited for deployment as a 
highly scalable firewall with up to 20 gigabits per second of through- 
put, as well as a 10,000 user remote-access concentrator for Secure 
Sockets Layer and IP Security based virtual private networks. 
(www.cisco.com) 




SsfeHguseSmarttard Proirerti'SS 



PflMwcKds Qgtiwis | Tod* Smartcaid , MxhA 

De-ate Virtual Sntstaard 



: 



I ' j 



SafeHouse 3.0 USB encryption 

PC Dynamics announced the release of its new SafeHouse 3.0 
data privacy and encryption software with dozens of new features 
including greatly-enhanced support for USB memory sticks. Safe- 
House locks, hides and encrypts sensitive files and folders using 
passwords and super-strong encryption. 

It is completely transparent to the way users work and is compati- 
ble with all Windows applications by masquerading as a 
password-protected Windows drive letter, (www.pcdynamics.com) 
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New SafeWord 2008 two-factor authentication tokens 



Secure Computing announced the immediate avail- 
ability of SafeWord 2008, their new two-factor authen- 
tication solution. These easy-to-use tokens provide 
highly secure and cost effective access protection for 
information assets and applications through Citrix ap- 
plications, VPNs, Web applications and Outlook Web 
Access. SafeWord 2008 is designed for the latest 64-bit 
Windows environments, including Vista and Windows 2008 Server, with seamless integration to 
Microsoft Active Directory, (www.securecomputing.com) 




Mobile security for UIQ devices 

F-Secure released its Mobile Security product for the UIQ platform. F-Secure 
and Sony Ericsson are partnering on supplying mobile security to Sony Erics- 
son's smartphones. Atrial version of the F-Secure Mobile Security 3.3 for UIQ 
will be available in selected Sony Ericsson UIQ devices. The companies will co- 
operate closely together in the area of mobile security to make sure that smart- 
phones will continue to offer a safe and rich mobile computing experience. 
(www.f-secure.com) 




Remotely "murder" your stolen laptop 



Alcatel-Lucent has developed a laptop security and 
management system - the OmniAccess 3500 Nonstop 
Laptop Guardian - that remotely secures, monitors, 
manages and locates mobile computers. If a laptop is 
reported lost or stolen, the solution can automatically 
destroy all data held on the device, even if the com- 
puter is turned off. The core technology of the solution 
consists of a secure, 'always on' computing system residing on a 3G broadband data card which 
includes a completely separate secure operating system and battery, and operates over any 
broadband, 3G or WiFi network, (www.laptopguardian.co.uk) 




WatchGuard upgrades software on its appliances 




lixi j . . mutna 



WatchGuard released the latest version of net- 
work security software for its Firebox X Peak, 
Core and Edge unified threat management ap- 
pliances. Version 10 includes a myriad of new 
features to keep users securely connected to 
their network. For instance, Fireware 10 and 
Edge 10 now integrate SSL VPN functionality. 

Further addressing secure mobility needs, both operating systems will support Mobile VPN for 
Windows Mobile devices, and for workers who use voice over IP or video conferencing, Fireware 
10 and Edge 10 support SIP and H.323 connections. (www. watchguard.com) 
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Proactive analysis of malware genes 
holds the key to network security 

By Mark Harris 




During the last few months of 2007, some new entrants into the security 
market made a lot of noise about the impending death of the signature based 
virus detection offered by traditional anti-virus vendors. 



However, the reality is that this type of protec- 
tion has already been dead for a long time, 
with the 'traditionalists' themselves killing it off 
in the early 90s, when viruses and malware 
stopped having distinct signatures. Since 
then, cybercriminals have continued to shift 
their focus from one-dimensional virus writing 
to multi-faceted malware creation, which is 
capable of infiltrating all possible routes into a 
company's corporate systems. These complex 
attacks mean that ever more proactive meth- 
ods of detection and protection have been 
evolved in order to protect the integrity of cor- 
porate networks. 

The growth in malware wheedling its way onto 
business networks has come about for one 
key reason - money. The days of awkward 
adolescents stowing themselves away in their 
bedrooms, feverishly inventing headline- 
grabbing viruses to gain notoriety and respect 
from their peers are long gone. Now, cash is 
the motivator, and cybercriminals are con- 



stantly trying to create the next piece of mal- 
ware that, instead of making the news, will slip 
through the net unnoticed. Hackers are there- 
fore carrying out far more targeted attacks, 
which by their very nature are harder to de- 
tect, so dictate that a much more sophisti- 
cated approach to IT security must be 
adopted. 

Another factor to consider is that the ubiquity 
of computers in the 21st century. Almost all 
businesses now rely on PCs and most homes 
have at least one computer. PCs are used for 
everything from business correspondence and 
social networking, to shopping and gambling 
and the sheer volume of confidential informa- 
tion now disclosed online offers rich pickings 
to cybercriminals. As most businesses now 
recognize the importance of protecting their 
data, cybercriminals have had to become 
more inventive in the methods they use to 
break through ever-tightening IT security de- 
fences and dupe innocent users. 
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One common tactic is to write as many vari- 
ants of the same malware as possible. This 
makes it quick and easy to create and send 
out new attacks and the slight change in the 
code and behavior of each variant mean that it 
is much more likely to avoid detection by IT 
security solutions. The potential success of 
such tactics is clearly illustrated by the 
Pushdo Trojan horse. First detected in March 
2007, Pushdo caused relatively little trouble 
for computer users until August when the 
authors started spamming out around four 
new variants every day. For the last five 
months of 2007, Pushdo consistently ac- 



counted for around one fifth of all email-borne 
malware detected by Sophos. 

Signature based security is dead 

Traditional anti-virus detection techniques look 
for patterns of code that are unique to known 
malicious executables. While this sort of de- 
tection by itself no longer offers sufficient pro- 
tection against cyber attacks, most security 
solutions still rely on these malware signa- 
tures in part to identify different types of 
threats in order to defend networks against 
intrusion. 



A HOST INTRUSION PREVENTION SYSTEM (HIPS) IS THE KEY 
TO MORE RIGOROUS NETWORK DEFENSE 



Anyway, these signatures can take many 
forms and are usually based on several sec- 
tions within the program. For example, a sig- 
nature might look to match three 50-byte ar- 
eas of code, at specific offsets or locations 
within a file. The challenge when creating 
such signatures is to ensure that the areas of 
code detected as malicious by the security so- 
lution, are not in fact part of common libraries. 
Such a mistake could result in legitimate pro- 
grams being labeled as malicious and not be- 
ing allowed to run. 

The disadvantage of this form of protection is 
therefore that no proactive detection of any 
sort can be offered. Fast paced, malicious 
malware, including zero-day threats which are 
released into the wild before security vendors 
can issue protection against them, can there- 
fore sometimes slip through the net, resulting 
in infection of the corporate network, the con- 
sequences of which can range from corporate 
ID theft, to embarrassing headlines and hefty 
financial penalties. 

The HIPS solution 

To comprehensively defend against all threats, 
it is therefore necessary to implement proac- 
tive security solutions that can protect and de- 
fend against attacks as soon as they are re- 
leased; that is before a specific detection up- 
date can be written to secure the software 
against attack and, crucially, before the mal- 
ware is even allowed to execute. Without this 
level of defense in place, fraudsters will con- 
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tinue to find success targeting business op- 
eration systems and applications. 

A Host Intrusion Prevention System (HIPS) is 
the key to more rigorous network defense, 
and will effectively complement reactive solu- 
tions. These proactive solutions have been 
designed to stop malware before a specific 
detection update is released by monitoring the 
behavior of applications. Traditional HIPS sys- 
tems achieve this by monitoring and looking 
for unusual or malicious behavior once appli- 
cations are running. 

Nevertheless, these solutions can fall down. 
As with signature based detection, it can be a 
challenge to distinguish between legitimate 
and malicious applications, as the simpler the 
malware the harder it is to identify it as such. 
This can cause problems because the HIPS 
solution will monitor code as it runs and will 
intervene as soon as code that is deemed to 
be suspicious or malicious is detected. There- 
fore, if malicious code is even allowed to run, 
it can wreak havoc on the corporate network 
before it is even detected. Furthermore, if a 
suspicious, but ultimately clean, application is 
monitored, any modifications that are made 
may have an adverse effect on the operating 
system. Stopping the execution could cause 
further problems. Another drawback is that 
this type of run-time analysis can only occur at 
the desktop or endpoint, and therefore offers 
no protection against malware entering via the 
email or web gateways. 



Beyond HIPS 

Traditional HIPS systems then are a big step 
in the right direction, but further proactive pro- 
tection needs to be put in place in order to en- 
sure IT security solutions are able to effec- 
tively deal with all malware threats, both 
known and unknown. The next stage should 
therefore be to implement pre-execution 
scanning to determine what the functionality of 
the application is and what behavior it is likely 
to exhibit before allowing the program to run. 

In addition to analyzing run-time behavior, with 
such a solution it is also possible to determine 
and assess static characteristics which can 
also be indicators of malicious behavior. For 
example, resource information such as details 
of the software publisher - strings embedded 
in the application - can be used to ascertain 
the validity of some programs. 

The gene building alternative 

One way of implementing effective pre- 
execution scanning is to effectively identify 
each individual characteristic as a gene. 
Whilst in biological terms, genes are the build- 
ing blocks that make up individual species, in 
technology terms, they are the building blocks 
of executable programs. 

Using behavioral genotyping solutions, busi- 
nesses can be safe in the knowledge that their 
data and networks are protected from attack, 
as all files will be rigorously scanned, with 
hundreds of genes extracted for microscopic 
analysis. Rather than looking for individual 
characteristics, these solutions identify combi- 
nations of genes to enable the classification of 
new malware. By extracting genes from exist- 
ing malware, it is possible to identify the 
common characteristics and the combinations 
in which they are used in malware. This 
knowledge enables security experts to pin- 
point new genes that have never previously 
appeared, therefore ensuring they can be 
quashed before future attacks are attempted. 

Still, to ensure precision, the best solutions 
will also look at the genes that are seen in 
known safe files; these are executables that 
are known to not be malicious. By comparing 
the combinations that are found in malware 
but that never appear in clean files, the risk of 



incorrectly identifying a file as malicious when 
it is actually safe, can be dramatically dimin- 
ished. 

Giveaway genes 

A key benefit of adopting of this behavioral 
genotyping approach is that there are some 
giveaway genes, which can be used to quickly 
identify the presence of malicious code. For 
example, it can be used to decode 'packer' 
tools, which are frequently used by cyber- 
criminals to disguise the contents of their at- 
tacks. Packers are compression tools that re- 
duce the size of executable files, thereby ena- 
bling fraudsters to compress and hide the con- 
tents of these files in an attempt to bypass se- 
curity applications. 

This method also has the added benefit of 
making the files easily modifiable, making tra- 
ditional signature-based detection methods 
ineffective and redundant. While sophisticated 
signature-based detection will eventually de- 
code the packing algorithm, enabling the solu- 
tion to descramble the contents of the file, by 
the time this happens, malware authors will 
more often than not have already moved on to 
the next packing algorithm. 

The way in which an application is packed can 
be a strong indication that its content is mali- 
cious - Sophos research has shown that 21 
percent of all malware it detects is packed, but 
only one in every 100,000 clean files are 
packed. Packing is one 'gene' that is as- 
sessed during the scanning and analyzing 
process. Other genes include which pro- 
gramming language is used, the ability to ac- 
cess the internet, copy files, add registry en- 
tries or search for publisher information. Sim- 
ply put, if an application is packed, written in 
Visual Basic, accesses the internet and con- 
tains references to banking websites, there is 
a significant chance that it is a banking Trojan 
horse. 

Key advantages of proactive techniques 

This method of gene detection is flexible 
enough to adapt as malware authors' tech- 
niques evolve. When authors implement a 
new method, it is frequently identified as a 
new gene, and security experts can then ana- 
lyze it in conjunction with existing genes 
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to effectively detect many new variants of a 
malware campaign, rather than simply the 
original attack. This type of examination also 
has the added benefit of offering protection at 
the email and web gateway, as well as at the 
desktop, since analysis can be carried out 
without even executing the code. Further- 
more, sophisticated HIPS systems can also 
detect and prevent zero-day threats without 
the need for signature updates, ensuring that 
these attacks are stopped in their tracks be- 
fore they can cause serious mayhem. 

The Storm worm example 

A good example of modern sophisticated pro- 
active detection at work is given by the Storm 
worm outbreak that started in October 2006 
and is still continuing to cause infections. 
There were hundreds of variants, including the 
prolific Dorf and Dref worms, and in one fell 
swoop, a single behavioral genotype identity 
detected nearly 5,000 different, unique vari- 
ants. Using traditional signature-based, reac- 
tive techniques would have taken consider- 
able resources and energy - not to mention 
time. The time saved ensured that the variants 
created by the hacker were able to gain ac- 



cess to far fewer systems than if signature- 
based testing alone had been implemented. 

Conclusion 

Proactive detection is already central to the 
most effective security solutions, but organiza- 
tions need to be aware that not all HIPS tech- 
nology is the same. It is crucial to implement a 
solution that examines code before it executes 
as well as when the application is running. 
Without this dual method of analysis, malware 
could slip through the net, and network issues 
could arise if a file has incorrectly been identi- 
fied as malicious when it is actually safe. 

If IT managers are aware of the breadth and 
cause of threats silently trying to infiltrate cor- 
porate networks every minute of the day, they 
will have a clearer understanding of what ac- 
tion needs to be taken. If businesses take 
control of their security and realise the impor- 
tance of proactive detection methods, they will 
reap the benefits, resting safe in the knowl- 
edge that they are doing everything in their 
power to thwart malware attacks of all kinds. 



Mark Harris is the Global Director of SophosLabs. Based at Sophos's global headquarters near Oxford, UK, 
Mark manages the company's worldwide threat analysis teams, which deliver round-the-clock anti-malware 
protection to the company's worldwide customer base. He joined Sophos in 2005, prior to that he was Director 
of Engineering at McAfee. 
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Advanced social engineering and human exploitation part 1 

By Mike Murray 




When I go out in the world and talk about social engineering, many people are 
amazed by what kinds of influence are actually possible on the people around 
them. And, yet, when I read the common books and online resources about 
social engineering, two basic messages are repeated over and over again: 

"If you want success as a social engineer, just ask for what you want" 

"If you want to be successful, just pretend to be somebody obvious who can't 

be verified (like a help desk or IT guy)" 



I repeatedly read this, and I find it discourag- 
ing. I talk to some of the luminaries in the se- 
curity field or read their blogs and the things 
that they hold up as the "pinnacle" of social 
engineering are the simplest and the most ri- 
diculous attacks I have seen. It's as though 
we, as an industry, look at social engineering 
the same way that the major media looks at 
DDoS attacks and website defacements; the 
simplest and least impressive technical at- 
tacks are heralded as a big deal. And it is the 
same sort of ignorance that leads to the cur- 
rent state of knowledge about social engineer- 
ing. 

Most of what is on the news and in the books 
on social engineering is really the "script kid- 
die" version of social engineering. In most 
cases, it is no more impressive than someone 
downloading a 'sploit off of PacketStorm and 
running it against a bunch of websites. While 



this stuff works against truly easy or unpre- 
pared targets (exactly like most canned ex- 
ploits), it tends to fail against truly hard tar- 
gets. 

Unfortunately, this tends to give everyone a 
false sense of security. A friend of mine likes 
to say that penetration tests are ultimately 
tests not of the organization's security, but of 
the skill of the penetration tester. Nowhere is 
this more true than in social engineering: and 
the state of skill of most social engineers is 
truly dismal. Even the greats of the industry 
have incredible natural talent but little under- 
standing of how and why they are successful. 

I hope, through this series of articles, to ex- 
pand what you see as possible. And, hope- 
fully, that enhanced awareness will push the 
bar higher in the industry - for all social engi- 
neers to see a need to upgrade their skills 



www.insecuremag.com 



13 



in influence, so that when organizations test 
their security by employing social engineers, 
they are actually finding the places in the or- 
ganization where there is resistance to a 
genuinely skilled attacker. 

What real social engineering looks like 

"ABC Drug franchise help line. How can I help 
you today?" 

Thus began a social engineering engagement 
that remains legendary to this day (to the 10 
or so people privy to the details). The com- 
pany had been engaged to work with a major 
drug store chain whose business was a fran- 
chise operation. And, like most franchise op- 
erations, their crown jewels were all contained 
in the manuals and business processes a 
store uses to operate. 

This company had invested a huge amount in 
protecting this information electronically. En- 
cryption, access control, least privilege - they 
had done it right. And they were confident that 
the consultant that they hired to test their se- 
curity would be unable to get the information. 

Then they met Christine (not her real name). 
She picked up the phone one night and called 
the help line that was available for those who 
were legitimate franchisees. 

"Umm... hi", she started. "So, uh.... like, 
yeah... my boss got a franchise, and I had the 
kit sent to the wrong address. He's going to 
kill me." 

From there, through the course of a half-hour 
call, she didn't just obtain a copy of the fran- 
chise kit, she convinced the help line person 
to enter an entirely new franchise into the sys- 
tem. She was given a drug store. 

Normally, a drug store franchise for this com- 
pany is priced in the mulltiple six-figures. In 30 
minutes, she convinced him to give her one. 
Suffice it to say, the client was happy. And 
scared. 

Note that she didn't get the franchise by "just 
asking for it", nor pretending to be someone in 
the right position. Sure, she used both tactics. 
But most social engineers couldn't have 
dreamed of pulling it off. She did it by using 



the skills of a really advanced well-trained so- 
cial engineer. 

Social engineering - a definition 

First, I should define what "social engineering" 
really is. The definition that fits best is a sim- 
ple one: "the use of skills of influence and 
misdirection to obtain information or access 
that is generally inappropriate". While there 
are more complex definitions, this one cuts 
right to the heart of the matter. 

Note that this type of activity can happen in 
ANY media. While most think of the social en- 
gineer as someone who is using face-to-face 
methods or phone calls, a phishing attack or 
an exploit triggered by getting a user to a 
website all fall under the same definition. In- 
deed, many of the most sophisticated social 
engineering engagements that I have been 
involved in have included some measure of 
technological exploitation to extend or en- 
hance the use of influence or misdirection. 

The three defining skills of a social 
engineer 

So, what are these skills of influence and mis- 
direction that I keep referring to? When you 
observe and analyze the work of many social 
engineers, you can ultimately describe every 
engagement and every act of social engineer- 
ing in terms of only three skills: 

1. Language: The ability to use words artfully 

2. Awareness: The ability to understand the 
effect of one's actions on other people 

3. Framing: The ability to manipulate contexts 
or "frames". 

These three skills are present in every great 
social engineer. In every case, the better a 
social engineer is, the more complete their 
skill sets are in these areas. A social engineer 
who is deficient in any of the areas will have 
difficulties in many engagements. 

The rest of this article is going to describe the 
skills in each of these areas. The lessons here 
are going to be drawn from a variety of disci- 
plines. First, my experience in social engineer- 
ing, but also training and experience with psy- 
chology, hypnosis, neurolinguistic program- 
ming, neuroscience, economics, and stage 
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magic. With some smattering of marketing, 
sales and PR (because who else is better at 
getting their ideas in to people's heads?). 

Language - a model of reality 

"Language can both represent reality and 
shape it." Linda Ferguson and Chris Keeler, 
NLP Canada 

Language is not real. While that may seem 
like an obvious statement (as you know the 
difference between an apple and the word 
"apple"), most of us often treat language as a 
very, very close analogue to reality. In fact, as 
pointed out by the quote above, language of- 
ten can affect reality, especially when used 
artfully. If it couldn't, there would be very little 
reason for you to be reading the words on this 
page right now - my words are shaping your 
version of reality as you read this. 



The reason that language shapes reality is 
that language acts as a mental model of the 
world. In fact, the mind actually processes 
language as though it is real. As you hear or 
read, your mind processes the language in to 
a representation of the experiences being de- 
scribed. Neuroscience has shown that what is 
vividly represent in the mind is actually proc- 
essed by the mind as though it is actually 
happening. As an example, if I vividly describe 
to you the experience of eating an apple, your 
mind will engage many of the same neurons 
as would be engaged if you were actually 
eating the apple. 

This ability is the basis of the human ability to 
process language. It is also the basis of the 
ability of one person to influence another. But 
more on that in a minute... 



The reason that language shapes reality is that language acts 
as a mental model of the world. 



First, there's a big problem. Language is an 
utterly incomplete model of reality. The use of 
the term "model" is an apt one - much like a 
model of a race car is similar to the actual 
race car, the linguistic representation of an 
experience is similar to the actual experience. 
But it has a different scale, has things left out, 
and is distorted in particular ways. When 
building a model race car, there is also a pur- 
pose - namely, to be able to keep the race car 
on your shelf rather than in your garage. 

With language, the reasons for these distor- 
tions are similar - language would be incredi- 
bly burdensome if you tried to make an even 
moderately complete version of the most trite 
experience. 

For example, back to the idea of eating an 
apple: imagine making a complete description 
of even one bite of the apple: how it felt to 
open your mouth, the feeling of your lips on 
the apple, the pressure on your teeth as you 
start to bite in to the apple, then the feeling of 
saliva being excreted and the feeling of each 
set of taste buds, etc. And that wasn't even 
close to a description, as it left out the sounds, 
the smells, sights, etc. 



What you would probably say, most of the 
time, is: "I bit in to the apple." Behind that 
statement, you have left out a huge amount 
of information. Imagine, for a second, what 
level of information is deleted with a statement 
like "I'm happy." 

The two acts of language 

Language is treated as real by the mind. And 
it's horribly incomplete. These are two of the 
most important things for any social engineer 
to know, because it is the ability of the mind to 
treat language as real that enables you to ac- 
tually influence people and get the access you 
want. It is the incompleteness that creates the 
opportunities to use language in artful ways to 
create that influence. But there are two differ- 
ent sets of rules - one for each action of lan- 
guage. Every linguistic act can be isolated in 
to one of two purposes: the act of information 
transfer and the act of influence. 

Information transfer is what you probably 
spend most of your time doing when using 
language. Most of the time, you are either tell- 
ing someone something or requesting that 
they tell you something - pulling information 
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from people or pushing information to them. 
Nearly every statement in this article has been 
an act of information transfer (including this 
sentence). Most sentences are designed to 
provide a piece of information to you that you 
can assimilate and remember. 

The rest of your time, you spend working to 
influence someone to change their opinions or 
positions on something. In that case, you are 
not conveying nor requesting information, but 



attempting to change the thinking of another. 
Note that these linguistic acts are not usually 
the province of logic or rationality. This is the 
domain of the emotions (neurologically speak- 
ing, the amygdala). I am not speaking of a 
logical argument - much of the time, logical 
debate comes down to information transfer. 
True acts of influence attempt to influence the 
decision-making machinery in the brain 
through the altering of the model of a person's 
reality. 



When making statements, the aim is to make statements as precise 
as required for the purpose of the communication. 



Information transfer 

The act of information transfer is, as I inti- 
mated above, bidirectional. Information can be 
transferred to someone with what you say (by 
telling them), or you can request information 
from them. Above all, the goal is to overcome 
the incompleteness of the language that the 
person is using. For example, imagine the fol- 
lowing exchange: 

Target: "I can't tell you my password. " 
Social Engineer: "Why can't you?" 
Target: "It's against policy" 
Social Engineer: "Which policy?" 
Target: "The information security policy." 
Social Engineer: "You have an information se- 
curity policy? What does it say?" 
Target: "It says not to reveal passwords to un- 
authorized staff. " 

Note that, for each of the questions asked by 
the social engineer, she is requesting a piece 
of information that was left out of the previous 
statement that the target made in order to 
make the information more precise. This is the 
fundamental rule of information transfer: pre- 
cision. When making statements, the aim is to 
make statements as precise as required for 
the purpose of the communication. And when 
requesting information, the goal is to obtain 
information at the level of precision that is ap- 
propriate for the purpose of the conversation. 



neer. Where precision is the fundamental con- 
cept of information transfer, the fundamental 
concept of influence is agreement. This is not 
agreement in the sense of logical, rational or 
conceptual agreement, but the act of ensuring 
that your language creates a situation where a 
statement (or set of statements) is not possi- 
ble to disagree with. One of the major de- 
fense mechanisms in the mind is that of dis- 
agreement - if I say something that you can 
disagree with, you are immediately aware of 
the content of the sentence. If, however, I 
were to say something that you couldn't dis- 
agree with, the content in the statement will 
slip in to your mind completely intact. 

This is easier to show through example. 
Which of these statements do you agree with? 

"/ could imagine that you have a sensation in 
your hand. " 

"I know that you have a stabbing pain in your 
right hand. " 

Even if you happen to have a stabbing pain in 
your right hand at this moment, you are defi- 
nitely in agreement with the first sentence. 
And, as you read the first sentence, you 
probably became (even though only momen- 
tarily) aware of the sensation in one of your 
hands. While, in the second statement, your 
reaction was probably a more simple one: 
"Nope, no pain. " 



Influence 

While information transfer is important, influ- 
ence is the true domain of a great social engi- 



It is this "artful vagueness" that is repeatedly 
mocked in business speak or "market-ese", 
but the reason that this language is used is 
that it is impossible to disagree with. 
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For example, what company in the world 
could not use this as a mission statement: 

"We aim to be the value-added leader in 
business solutions. " 

While this language seems ridiculous, this 
same language is used to allow you to create 
representations in your mind while always re- 
maining in agreement with the social engineer 
(or marketer). For example, imagine that you 
and I are on a social engineering engagement 
and I am trying to convince you to give me 
your password (or a drug store franchise). 
I could say something like: 

"I know it could seem strange for me to ask 
this of you. But you can imagine that it is diffi- 
cult for me to be asking and how it would feel 
to be under the pressure that I'm under from 



my boss and how much I need your help right 
now, and how it would be for you to need my 
help so badly. And you could imagine that in 
the same situation, your human kindness will 
be a wonderful benefit and how great that will 
make you feel" 

Note that I used a few patterns in that exam- 
ple that made the statement impossible to 
disagree with ("It could seem...", "You can 
imagine...") - this makes the statement a won- 
derful exploit for the human mind. 
While I could talk about this in far greater de- 
tail, this article is getting long. Next time I'll go 
into detail about the other two skills of social 
engineering - awareness and the ability to 
create a frame. And how to put this all to- 
gether in to a social engineering engagement 
that really works. 



Mike Murray is an experienced social engineer, trained hypnotherapist, and long-time information security pro- 
fessional. He currently is the Director of Neohapsis product testing lab, and is the author of the upcoming book 
"Social Engineering: Advanced Human Exploitation". Read his blog at www.episteme.ca. 
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Free visualization tools for security analysis 
and network monitoring 

By Sam Abbott-McCune, A.J. Newtson, Robert Ross, Rolph Ware, and Gregory Conti 




Whether you are a security analyst, system administrator or technical man- 
ager, chances are you are confronted with an overwhelming sea of security 
related data. Typically, we analyze this data with textual reports, command line 
scripts, or simple pie graphs and bar charts. However, there are much richer 
ways to analyze and explore the data using information visualization tech- 
niques. Information visualization systems attempt to create insightful and 
interactive graphical displays that exploit the human's extremely powerful 
visual system. 



If done correctly, users will be able to examine 
more data, more quickly and see anomalies, 
patterns and outliers in ways that textual data 
simply cannot provide and machine proces- 
sors cannot detect. 

In this article, we present a number of free 
visualization systems that you can use to help 
find insight in your data. Where applicable, 
we've also included links to other tools you 
may wish to explore. In order to provide a 
broad overview of available options, we've 
sought out tools across a number of security 
related domains, including: network visualiza- 
tion, packet visualization, network manage- 
ment, and port scan visualization, as well as 
general purpose tools that can be used with 
many types of security data. 



Network visualization 

The Interactive Network Active-traffic Visuali- 
zation (INAV), see Figure 1, is a monitoring 
tool that allows network administrators to 
monitor traffic on a local area network in real- 
time without overwhelming the administrator 
with extraneous data. The visualization tool 
can effectively perform a variety of tasks from 
passively mapping a LAN to identifying reoc- 
curring trends over time. 

Currently, INAV supports Ethernet, IP, TCP, 
UDP, and ICMP. INAV is implemented using a 
client-server architecture that allows multiple 
administrators to easily view network traffic 
from different vantage points across the net- 
work. 
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Once established, the INAV server passively 
sniffs data from the network and dynamically 
displays activity between different nodes on 
the network while keeping statistics on band- 
width usage. 

The current state of the network is stored and 
broadcast to the different INAV clients. The 
INAV client uses an intuitive, lightweight 
graphical user interface that can easily change 
views and orient on specific clusters of nodes. 
Once a node on the network is selected, the 
client highlights any node that has sent traffic 
to or from that location. The client receives the 
current state of the network with a variable re- 
fresh rate that is adjustable to limit INAV gen- 
erated communications on the network. Instal- 
lation of the tool is straight forward and its op- 



eration is very intuitive. The INAV server runs 
on any Linux operating system with root privi- 
leges, while the client was developed in Java 
and can be run on most operating systems. 

You can download INAV at inav.scaparra.com 
and a detailed white paper is available at 
inav.scaparra.com/docs/whitePapers/INAV.pdf. 
You may also wish to explore other network 
visualization systems including Afterglow 
(afterglow.sourceforge.net), Doomcube 
(www.kismetwireless.net/doomcube), 
Etherape (etherape.sourceforge.net), FlowTag 
(chrislee.dhs.org/pages/research/projects.html 
#flowtag), and Packet Hustler 
(shoki.sourceforge.net/hustler). 
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Figure 1: The Interactive Network Active-traffic Visualization (INAV) system passively 
sniffs network traffic and dynamically creates network graphs. 



Nmap visualization 

The fe3d network visualization tool, see Figure 
2, is an open source application that works in 
conjunction with nmap and presents scan re- 
sults using a 3-dimensional cone tree visuali- 
zation (see citeseer.ist.psu.edu/308892.html 
for more information on cone trees). 



Fe3d can be used with either imported nmap 
XML scan files or, alternatively, the user may 
launch and observe scans in real time. It also 
allows the user to routinely monitor network 
nodes for security issues such as open ports 
without requiring textual analysis. Fe3d gives 
the user the same scan results as command- 
line nmap, but in a very intuitive, easily under- 
stood 3-dimensional visual format by 
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graphically portraying the network node's op- 
erating system, IP address, and all open ports 
found on the node. This tool requires the fol- 
lowing additional open source applications, 
Xerces-C++ XML parser 
(xerces. apache. org/xerces-c/install. html) and 
wxWidgets(www. wxwidgets.org/downloads/). 
We initially encountered difficulties interfacing 
the XML parser and wxWidgets on Linux op- 



erating systems, but found Windows installa- 
tion to be quite straightforward, although we 
recommend that you use a recent version of 
Microsoft Visual C++ for easier installation. If 
interested in installing and testing fe3d go to 
projects.icapsid.net/fe3d. There you will also 
find very well written installation and configu- 
ration instructions. 




Figure 2: The fe3d visualization tool acts as a 3D front end for nmap scans. 



www.insecuremag.com 



20 



Network monitoring 

There are a wide range of tools for network 
monitoring that give a graphical overview of 
activity on the network. One of the original 
tools on the market was WhatsUp Gold 
(www.whatsupgold.com). WhatsUp Gold is a 
robust and scalable, but expensive monitoring 
system. 

Although WhatsUp Gold is a quality product, 
we found that OPManager 
(www.opmanager.com), see Figure 3, pro- 
vides most of the same functionality in addi- 
tion to being available as freeware for network 
administrators of less than 10 critical systems. 
Available for Windows and Linux platforms, 
OPManager installs a password protected 
webserver on the designated host, which is 
accessible from any client on the network. 
Some of the OPManager's functionality in- 
cludes: WAN monitoring, services monitoring 
(Web, FTP, SMTP, LDAP, DNS, and more), 



application monitoring (MySQL, Microsoft Ex- 
change, among others), Windows Services 
monitoring (IIS, DHCP Server, Event Log), 
URL monitoring, server, and switch monitor- 
ing, among other functionality. The network 
status is clearly represented by numerous re- 
ports and customizable network displays. 
OpManager is fairly intuitive and easy to set 
up. 

Another product to try is Nagios 
(www.nagios.org). Nagios is Linux-based and 
Firefox-friendly. However, Nagios can be diffi- 
cult to setup initially, but if you are familiar with 
PHP include files (.inc), then subsequent net- 
works can be easily configured. Nagios is also 
a web-based client/server package which 
gives near real time updates. Another software 
package that is worth checking out is OSSIM 
(www.ossim.net). OSSIM is a Linux-based so- 
lution which goes beyond simple monitoring 
by integrating software such as Snort and 
Nessus. 




Figure 3: The free version of OpManager lets a network or system administrator monitor up to 10 hosts. 



Packet visualization 

Wireshark (www.wireshark.org) is the best of 
breed tool for protocol analysis and provides a 
powerful text-based GUI for analyzing network 
traffic captures. 



RUMINT (www.rumint.org), a prototype 
graphical network sniffer, takes a different 
approach. It lets an analyst compare large 
numbers of packets, including both header 
fields and payloads, using seven different 
visualization windows. 
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Figure 4 shows a parallel coordinate plot (top 
left) that allows comparison of up to 19 packet 
header fields, a binary rainfall view (top right) 
which plots the raw bits from each packet and 
a text rainfall view (bottom left) which uses 
Unix strings-like functionality to display print- 
able ASCII characters, one packet per hori- 
zontal row, as well as a detail view (bottom 
right) to see a single packet in hexadecimal 
and ASCII. Not shown are three additional 
visualizations, a scatter plot that plots any 
combination of packet header fields on a two- 
dimensional display, an animated visualization 



of packets emanating from ports and IP ad- 
dresses, and a byte frequency visualization 
that displays a scrolling graph of bytes con- 
tained within each packet. RUMINT uses a 
VCR metaphor, where an analyst loads a 
packet capture file and "plays" back the pack- 
ets in the visual displays. Because it is a pro- 
totype, RUMINT lacks the robust filtering and 
protocol parsers included with tools like Wire- 
shark and is limited to 30,000 packets. It runs 
on Windows XP and later systems, but has 
been used successfully on Linux using Wine. 




General purpose visualization 

Many Eyes is a free service offered by IBM 
and is an efficient and simple web-based ap- 
plication that incorporates numerous visualiza- 



tion techniques and facilitates collaborative 
analysis of security data. For example, after 
you collect network traffic from a tool such as 
Wireshark you can output the data to a 
comma separated value (CSV), upload it to 
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Many Eyes and view it using a number of in- 
teractive visualizations. (Note that a spread- 
sheet, such as Excel, can be very useful as an 
intermediate step to enhance or clean-up the 
dataset). A simple data table with named col- 
umns, each of the same length is required. 
Each column in the table supports two data 
types, text or numeric. You upload your data to 
Many Eyes via an HTML form by copying and 
pasting your data set. 

Although Many Eyes has a dozen different 
types of visualization components, the net- 
work graph and treemap often provide the 
best insight into network traffic. Once a data 



On the following page is a snapshot of a simi- 
lar network data capture, but using a treemap 
visualization technique. Treemaps are useful 
for visualizing hierarchical data, such as net- 
work addresses, as nested rectangles. 

In the case of Figure 6 on the following page, 
the rectangles contain destination IP address, 
where the size of each rectangle corresponds 
to the quantity of packets, and the color corre- 
sponds to the destination port, where white is 
used for lower port numbers and dark orange 
for higher values. This visualization provides 



set is uploaded to the Many Eyes server, you 
simply select a desired visualization compo- 
nent, allowing for flexible exploration. 

Figure 5, is a snapshot of a network data cap- 
ture from a Defcon Capture the Flag competi- 
tion shown using the graph visualization com- 
ponent. The data set presented in this visuali- 
zation contains the source and destination IP 
address of each packet. The Java applet is 
interactive and allows you to pan or zoom the 
view of the visualization as desired. Selecting 
a node, show in orange in the figure, high- 
lights all adjacent nodes to facilitate analysis. 
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an alternative way to look at network data that 
can quickly identify patterns or anomalies, that 
a graph-based visualization cannot. 

The benefit of Many Eyes is that it allows ex- 
perimentation with a large number of visuali- 
zation techniques and supports public collabo- 
rative analysis. 

Registered users of Many Eyes (note that reg- 
istration is free) can view, post comments and 
create additional visualizations based on a 
given dataset. 
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Figure 5: Using the Many Eye's visualization tool to graph a Defcon Capture the Flag Dataset. 
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Treemap Hierarchy (Drag to Reorder) :on IP > 




Unfortunately, at this time, there is no way to 
make a dataset or visualization private. Be- 
cause of this issue, many network administra- 
tors may be reluctant to post data associated 
with their network. We leave it up to you to 
balance the risk of sharing your data against 



the strength of ManyEyes' visualization tech- 
niques and collaborative analysis facility. If you 
like Many Eyes, you may wish to explore other 
similar offerings such as Swivel 
(www.swivel.com) and the Google Chart API 
(code.google.com/apis/chart). 



Name 


Notes 


URL 


Afterglow 


Graph visualization 


afterglow.sourceforge.net 


Doomcube 


3D IP address and port visualization 


www.kismetwireless.net/doomcube 


Etherape 


Network graph visualization 


etherape.sourceforge.net 


fe3d 


nmap visualization 


projects.icapsid.net/fe3d 


INAV 


Visualization of network bandwidth, source 
and destination nodes 


inav.scaparra.com 


FlowTag 


Visualization of network flows 


chrislee. dhs.org/pages/research/projects. h 
tml#flowtag 


Google Chart API 


Allows creation of dynamically generated 
charts 


code.google.com/apis/chart 


Many Eyes 


General purpose visualization tool, accepts 
most CSV data 


services.alphaworks.ibm.com/manyeyes 


Nagios 


Network monitoring 


www.nagios.org 


OpManager 


Network monitoring 


manageengine.adventnet.com 


OSSIM 


Network and security data monitoring 


www.ossim.net 


Packet Hustler 


Network traffic visualization 


shoki.sourceforge.net/hustler 


RUMINT 


Packet-level sniffing and visualization 


www.rumint.org 


Swivel 


General purpose charting tool 


www.swivel.com 


Wireshark 


Best of breed protocol analysis tool. 


www.wireshark.org 



Conclusion 

Security data visualization is an active area of 
research. In the near future expect to see 
tools that not only present data in insightful 
ways, but also help bridge the gap between 
human analysts and machine processing. 



Human time and attention are a precious re- 
source 

Researchers are currently developing tools 
that allow insights made by human analysts to 
be offloaded to machine processors. 
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A good example is a tool that facilitates analy- 
sis of a new malware variant and allows the 
analyst to immediately generate a Snort signa- 
ture. 

We encourage you to evaluate the tools listed 
here, see Table 1 , but more are being devel- 
oped frequently. Two places to monitor for the 
latest developments are www.secviz.org or- 
ganized by Raffy Marty and www.vizsec.org 
sponsored by SecureDecisions 
(www.securedecisions.com). For the latest se- 
curity visualization research consider partici- 



pating in the annual VizSEC Workshop 
(vizsec.org/workshop2008). The next VizSEC 
will be held in Boston on September 15, 2008 
in conjunction with the Recent Advances in 
Intrusion Detection (RAID) Symposium. 

One final note, we are currently in the process 
of attempting to catalog all open source secu- 
rity visualization projects, current and histori- 
cal, if you have a suggestion please feel free 
to send an email to gregory-conti@usma.edu. 
We will freely share the results of the survey 
with the security community. 



Sam Abbott-McCune is currently an Instructor, teaching Information Technology, Network Systems Manage- 
ment and Theory and Practice of Military IT Systems, at the United States Military Academy at West Point. He 
received his Master's Degree in Computer Science from Virginia Commonwealth University. 

A.J. Newtson is currently an Instructor, teaching Theory and Practice of Military Information Technology Sys- 
tems, at the United States Military Academy at West Point. He received his Master's Degree in Information 
Technology Management from the Naval Postgraduate School. 

Robert Ross is presently an Information Technology Instructor at the United States Military Academy at West 
Point. He received a Master's Degree in Computer Science from Monmouth University. 

Ralph Ware is currently a Course Director and Instructor, teaching Information Technology, at the United 
States Military Academy at West Point. He received his Master's Degree in Computer Science from the Geor- 
gia Institute of Technology. 



Gregory Conti, Director of the Information and Technology and Operations research center and Assistant Pro- 
fessor of Computer Science at the United States Military Academy, is the author of Security Data Visualization 
(No Starch Press) and the RUMINT visualization tool. His work can be found at www.gregconti.com. 



WinSCP is freeware SFTP, FTP client for Windows using SSH, 
Its main function is safe copying of files between a local and 

a remote computer. 
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Download it for free at winscp.net 
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Mac OS X Leopard On Demand 

By Steve Johnson 

Que, ISBN: 0789736543 

This book uses real world examples to give you a context in which to perform a 
task. Some of the topics covered include Master the Mac OS X Leopard user 
interface, file management, and applications, use Windows along with Leopard 
using Boot Camp, customize and fine-tune Mac OS X Leopard, set up multiple 
users and maintain security, keep your files up to date and backed up with Time 
Machine, and more. "Mac OS X Leopard On Demand" is written by people from 
Perspection, e-learning provider specializing in online IT training. 



Network Security Assessment: Know Your Network (2nd Edition) 

By Chris McNab 

O'Reilly, ISBN: 0596510306 



Network Security Assessment provides you with the tricks and tools 
professional security consultants use to identify and assess risks in Internet- 
based networks-the same penetration testing model they use to secure 
government, military, and commercial networks. This new edition is up-to-date 
on the latest hacking techniques, but rather than focus on individual issues, it 
looks at the bigger picture by grouping and analyzing threats at a high-level. By 
grouping threats in this way, you learn to create defensive strategies against 
entire attack categories, providing protection now and into the future. 





Network 
Security 
Assessment 
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Apache Cookbook (2nd Edition) 

By Rich Bowen, Ken Coar 

O'Reilly, ISBN: 0596529945 



The new edition of the Apache Cookbook offers you updated solutions to the 
problems you're likely to encounter with the new versions of Apache. Written by 
members of the Apache Software Foundation, and thoroughly revised for 
Apache versions 2.0 and 2.2, recipes in this book range from simple tasks, 
such installing the server on Red Hat Linux or Windows, to more complex 
tasks, such as setting up name-based virtual hosts or securing and managing 
your proxy server. 



CCNA Exam Cram (3rd Edition) 

By Michael Hayes Valentine and Andrew John Whitaker 

Que, ISBN: 0789737124 

This book covers CCNA exam topics including: connecting Cisco equipment, 
make initial configurations, and connect to other devices to build a network, 
configuration of Cisco routers and the process of backing up and restoring your 
Cisco IOS software configurations, the configuration of PPP and Frame Relay for 
WAN connectivity, the mitigation of network security threats and secure network 
devices, the filtering of traffic from one network to another with access control 
lists, and much more. 



Network Security Hacks (2nd Edition) 

By Andrew Lockhart 

O'Reilly, ISBN: 0596527632 



The second edition of Network Security Hacks offers 125 concise and practical 
hacks, including more information for Windows administrators, hacks for wireless 
networking (such as setting up a captive portal and securing against rogue 
hotspots), and techniques to ensure privacy and anonymity, including ways to 
evade network traffic analysis, encrypt email and files, and protect against 
phishing attacks. 



Microsoft Windows Home Server Unleashed 

By Paul McFedries 

SAMS, ISBN: 0672329638 

Microsoft Windows Home Server Unleashed takes a deep look at what makes 
this new server operating system tick. Inside you'll learn how the Windows 
Home Server storage system combines multiple hard disks into a single 
storage space that expands and contracts automatically as you add and 
remove hard disks, how to access your files from any PC in the network and 
provide secure access to the network via the Internet for your users, how to 
automate the backup of every computer on your network and more. 





NETWORK 
SECURITY 
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Computer Security Basics (2nd Edition) 

By Rick Lehtinen and G.T. Gangemi 

O'Reilly, ISBN: 0596006691 

The new edition builds on the well-established principles developed in the 
original edition and thoroughly updates that core knowledge. For anyone 
involved with computer security, including security administrators, system 
administrators, developers, and IT managers, Computer Security Basics 2nd 
Edition offers a clear overview of the security concepts you need to know, 
including access controls, malicious software, security policy, cryptography, 
biometrics, as well as government regulations and standards. 



Mac OS X Leopard: The Missing Manual 

By David Pogue 

Pogue Press, ISBN: 059652952X 



Mac OS X: The Missing Manual, Leopard Edition is the authoritative book for 
Mac users of all technical levels and experience. If you're new to the Mac, this 
book gives you a crystal-clear, jargon-free introduction to the Dock, the Mac OS 
X folder structure, and the Mail application. 

There are also mini-manuals on iLife applications such as iMovie, iDVD, and 
iPhoto, and a tutorial for Safari, Mac's web browser. 



Networking with Microsoft Windows Vista 

By Paul McFedries 

Que, ISBN: 0789737779 

Your Guide to Easy and Secure Windows Vista Networking is a complete 
beginner's guide to creating, configuring, administering, and using a small 
network using Windows Vista computers. Inside you'll find comprehensive 
coverage of networking hardware, including ethernet (wired) hardware (from 
NICs to cables to switches to routers) and wireless hardware - from wireless 
NICs to access points to range extenders. 



Read the review at HNS: www.net-security.org/review.php?id=174 

Cisco Networking Simplified (2nd Edition) 
By Neil Anderson, Paul L. Delia Maggiora, Jim Doherty 

Cisco Press, ISBN: 1587201992 

Even if you've never set up or managed a network, this book helps 
you quickly master the concepts you need to understand. Its full- 
color diagrams and clear explanations give you the big picture: how 
each important networking technology works, what it can do for you, 
and how they all fit together. The authors illuminate networking from 
the smallest LANs to the largest enterprise infrastructures. 

Read the review at HNS: www.net-security.org/review.php?id=174 






Cisco Networking 

Simplified 
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One product, five DeFeNPERs. 
Five antivirus engines, ons choice 
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Web application vulnerabilities and insecure software root 
causes; solving the software security problem from an 
information security perspective 

By Marco M. Morana 



Before to diagnose the disease and provide the cure a doctor looks at the root 
causes of the patient sickness, the risk factors and the symptoms. In case of 
application security most of the root causes of the security issues are in 
insecure software: the risk factors can be found in how bad the application is 
designed, the software is coded and the application is tested. 



Typical symptoms of insecure software are the 
exposure to web application vulnerabilities as 
well as weaknesses in the application security 
controls. How critical such vulnerabilities are 
really depends on what the application is de- 
signed for: in case of on-line retailers, weak- 
nesses in web application security controls 
might allow for a malicious user to manipulate 
the price of an item or the shipping address. 
The cause of these vulnerabilities, in most of 
the cases, is due of not validating on the 
server side data that can be manipulated via 
web pages on the client side. 

Web applications that handle customer sensi- 
tive data such as credit card information might 
be exposed to the risk of identity theft as well 
as fraudulent transactions. In the case of 
banking on-line applications and web sites de- 
livering financial services such as insurance, 
mortgages, brokerage for example, identity 



theft is a growing threat and often times is fa- 
cilitated by web application vulnerabilities 
such as lack of strong security controls for in- 
put validation, weak authentication and 
authorization, weak session management as 
well as data poor data protection in transit and 
storage. 

Practically every business that has a web 
presence on-line has a inherent risks due to 
the exposure and the potential web applica- 
tion vulnerabilities. Such risks are more or 
less quantifiable. For example, if the web site 
has been just defaced the impact can be 
"reputation" and the loss is a matter or percep- 
tion. In the case of losing credit card holder 
information the monetary loss is in terms of 
fines for non compliance with security stan- 
dards such as PCI as well as law suits on be- 
half of the third parties suffering the loss (e.g. 
banks). 



www.insecuremag.com 



30 



From the information security perspective you 
can learn how important PCI compliance and 
lawsuits are to retailers by looking at the TJ 
Maxx data breach and credit card fraud inci- 
dent: tinyurl.com/22zsm3. 

In case of financial institutions with on-line 
presence losses due to web application vul- 
nerabilities can also be directly quantifiable in 
term of exposure of the site to potential 
fraudulent transactions. Common vulnerabili- 
ties might include weak authentication that al- 
lows unauthorized access, server buffer over- 
flows causing a denial of service, loss of con- 
fidential information due of weak data protec- 
tion controls (e.g. sensitive data not en- 
crypted), weak session management (e.g. 
session tokens in clear, re-use of someone 
else user session) as well as server mis- 
configurations (SSL not enforced, admin web 
pages left on the production site, non essen- 
tial services left running, application informa- 
tion disclosure via test web pages etc.) 

Web application vulnerabilities represent a big 
cost to organizations that need to fix them: 
according to a NIST study in 2002 
(tinyurl.com/2fq8tr) the cost of fixing vulner- 
abilities in applications was estimated to be 59 



billions USD. In a recent study David Rice, di- 
rector of the Monterey Group who has just 
published a new book called "Geekonomics: 
The Real cost of Insecure Software" has esti- 
mated the 2007 dollar figure of the actual cost 
of insecure software to the U.S. to be at least 
$180 billion per year. 

Now the main question is, if insecure software 
has so big impact on our economy why we are 
not getting better on building secure web ap- 
plications? Finding the real answer is not easy 
and probably the truth is in the details, so let's 
try to find it. 

First of all is important to understand that 
software security awareness does not happen 
overnight. Fixing software for security is a 
more complex problem to deal with that most 
security practitioners might think of. It is com- 
plex because requires an holistic approach 
involving people with different skills such as 
developers that build secure applications and 
security officers that manage the security 
risks, processes with different disciplines such 
as software security engineering and threat 
analysis and least and not last new security 
technologies and security assessment tools. 




% Defects 
introduced 
in this phase 

% Defects 
found in 
this phase 

£ Cost to 
repair defect 
in this phase 



- eld 
Test 



Post 
Release 



Sourc-e. Applied SoUware Measurement. Capers Jones, f 996 



Figure 1 : The cost of fixing bugs in the SDLC. 
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Most of all, software security requires a differ- 
ent perspective in the way companies tradi- 
tionally view the solution of insecure software. 
For most of development shops fixing inse- 
cure software that really means: stop try to fix 
security bugs (security issues in code) when 
the software is already build and shipped to 
production. According to a software defect 
metrics compiled by Capers Johns back in 
1 996 about 85 % of overall defects are intro- 
duced during coding. If you compile the same 
metrics today with your applications, depend- 
ing on the maturity of your software security 
processes, you probably will find a number of 
55% or higher: that proves the point! 

Timing to address the security issues is also a 
critical factor, from the perspective of spend- 
ing your $$ to fix the security issues in the 
software you build, the later you wait to ad- 
dress them the more expensive they will be- 
come. As shown in Figure 1 on the previous 
page, the cost of implementing a code change 
for fixing a security bug during coding will in- 
crease exponentially when addressed later in 
the SDLC during field test and post release. 

In case of software products such as web ap- 
plications the majority of security issues are 
due to coding errors no matter how you ap- 
proach the problem of insecure software, from 
either the software security (build security into 
the SDLC) or application security perspective 
(catch and patch). 

If indeed most of the vulnerabilities found are 
security issues due to insecure coding that's 
where the focus should be. If you are not sure, 
set up a target such as trying to eliminate at 
least 30% of vulnerabilities found during pene- 
tration tests (e.g. ethical hacks) that might 
have root causes in software. Set up a soft- 
ware security framework for software activities 
and a roadmap by looking at state of the art 
best practices in software security assurance: 
tinyurl.com/3yk3cn. 

Most importantly, take into account the matur- 
ity of the software security practices within 
your organization so you can realistically as- 
sess the maturity level of the software security 
practices within organization and what realisti- 
cally you can achieve in the short and in the 
long term. 



If your software security practices are not yet 
mature yet you can start with a set of tactical 
activities such as secure coding standards 
and source code analysis. The next step could 
be validation with security testing at compo- 
nent level (unit tests) and security tests inte- 
grated with system tests. 

From the information security perspective you 
can also look at enforcing software security 
throughout your organization as part of infor- 
mation security and risk management proc- 
esses: for software security compliance you 
could also include regulatory guidance (e.g. 
FFIEC) as well as industrial standards (e.g. 
VISA PCI). 

A set of software security requirements is the 
best place to start to address the root causes 
of web application vulnerabilities. Software 
security is a defensive game: that means em- 
powering software developers with best prac- 
tices that allow them to build strong security 
controls. It also means thinking like an at- 
tacker that is making sure the software devel- 
opers know what the common threats to web 
applications are, how can be exploited and the 
resulting impact. 

From the defensive perspective, if we look at 
common web application vulnerabilities as a 
result of weaknesses in software mitigation 
controls, it is possible to generalize the soft- 
ware security issues in basic category types 
using the Web Application Security Frame 
(WASF) tinyurl.com/yrj44k: 

• Access Control: Authentication and Authori- 
zation 

• Configuration Management 

• Data Protection In Transit and Storage 

• Data Validation 

• Error and Exception Handling 

• Logging and auditing 

• User and Session Management 

By categorizing web application vulnerabilities 
as weakness in security controls it is easier to 
describe the root causes in terms of coding 
errors. For example the buffer overflow vul- 
nerability is the direct cause of lack of input 
validation that can be addressed with software 
input validation requirements as well as other 
coding requirements such as use of safe 
string manipulation APIs. 
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To approach web application vulnerabilities 
that have root causes in software is important 
to describe them according to software secu- 
rity assessment criteria: 

1 . The security threat that the issue is ex- 
posed to 

2. The software security root cause of the vul- 
nerability 

3. How to find the potential vulnerability 

4. The countermeasure 

5. The risk rating. 

Describing what the security threat is helps to 
understand why the mitigation control is not 
effective. The software security root cause of 
the vulnerability is the code snipped (e.g. the 
offending source code) that need to be fixed. 
It is important also to provide guidance to the 
software developer on how to find the poten- 
tial vulnerability. For example, by looking at 
the source code it is possible to spot the vul- 
nerability. This can be done with a "white box 
testing technique: that consists on a security 
code review with the help of a source code 
analyzer (e.g. static parser) to point out the 
area of the code that could possibly present 
vulnerability. In most cases this vulnerabilities 
can also be spotted via a black box technique 
(penetration test) to validate the critical expo- 
sure of the vulnerability to the front end (e.g. 
client). The countermeasure in this case con- 
sists on a sample of secure code that does 
not present (aka mitigates) the vulnerability. 

Finally the risk rating helps to prioritize the 
remediation effort. Typically assigning a risk 
rating to the vulnerability involves a risk analy- 



Table 1 : Weak Web Based Authentication 



sis based upon factors such as impact and 
exposure. Most of organizations have estab- 
lished information risk analysis processes that 
can be used as a reference to assign severity 
to vulnerability. If your organization does not 
have one, you can refer to best practices such 
as the one referred in the OWASP Testing 
Guide - tinyurl.com/ytf48z 

Some examples on how to document root 
causes for some basic web application vul- 
nerabilities are included herein in tables 1 to 
7. 

Finally, if you document secure software re- 
quirements in a standard document is also 
important that your organization put in place a 
process to verify compliance with the stan- 
dards, typically this means performing a 
source code review and source code analysis 
with the help of automated tools such as code 
scanners. If such is too restrictive and costly 
for your organization, you could deliver soft- 
ware security best practices as a guideline 
document. 

Finally software security training is critical as 
well as the use of adequate tools for source 
code analysis, make sure that you effectively 
communicate software security best practices 
to software developers. 

Secure software requires people, process and 
tools as any other information security initia- 
tive within your organization. Above all com- 
mitment from different levels of management 
within your organization is the key to deliver a 
successful software security initiative. 



Vulnerability 


Weak Web Based Authentication 


Vulnerability type 


Access Control: Authentication 


Security issue 


Weak authentication used to verify a user outside the trust boundary 
of the web application. 


Security threat 


Basic authentication credentials (username and password) are 
passed in clear from the authentication component to the client and 
BASE64 encoded. A malicious user can capture and decode such 
credentials during transmission with the use of a web proxy. 


Software security root cause 

I 


The "web.config" file is potentially configured to use HTTP Basic 
authentication. 

<system. web> 

Authentication mode="Windows" /> 
</system.web> 
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How to find the potential vulnerability Source code review the web configuration file "web.config" and 

verify that the authentication mode is not set to Windows. On the 
client, the user sees (on first request and in the default mode) a dia- 
log requesting her credentials. By typing user name and password, 
the Base64 encoded version of these credentials is sent back to the 
server. In the authorization header, along with a token indicating that 

thp nffprpH £ii ithpntir*£itinn crhpmp Racip hzac hppn apppntpH hv 

11 IC UNCI CU C1U LI Id 1 IIL/GLII/I 1 Owl Id 1 IC LJdOIL. lido UCCI 1 CXKj^iKj VJ ICU Uy 

the client. 




Get / HTTP/1.1 Host: host Authorization: Basic 
dGVzdDpOZXNO 


Countermeasure 


Change web form authentication to use secure form authentication 
such as NTLM vs. 2 or Kerberos. Enable SSL to protect the authen- 
ticated sessions. 


Risk rating 


High 


Table 2: Errors in RBAC Server Side Business Logic 


Vulnerability 


Errors on RBAC Server Side Business Logic 


Vulnerability type 


Access Control: Authorization 


Security issue 


Weak mechanisms to enforce access controls on protected 
rpqni irpp 6 ; within thp "W^tem 

uOUUI uuu VVILI III 1 LI OVOlvl 1 1 


Security threat 


A business loaic error allow for default elevation of Drivileaes of 
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users logged into the application. 


Software security root cause 


Principle of least privilege is not enforced by the server side role 
based access controls. A source code analysis revealed a logical 
condition clause do not default to least privileges when user role 
normal user cannot be validated 

if user . equals ( "NormalUser" ) { 

grantUser (Normal User Permissions) ; 
}else{ //user must be admin/super 

grantUser ( "Super_User_Persmissions) ; } 


How to find the potential vulnerability 


Review source code for potential coding errors in the Role Based 
Access Control (RBAC) business logic implemented on the server. 
Log on as normal user and either modify or delete the permission/ 
role parameters before sending them to the server. The server will 
grant the user admin/super privileges. 


Countermeasure 


Modify the error in the RBAC business logic as follows: 

if user . equals ( "NormalUser" ) { 

grantUser (Normal User Permissions) ; 
}else if user .equals ("SuperUser") { 

grantUser ("Super User Persmissions) ; } 


Risk rating 


High 




Vulnerability 


Information disclosure via server error messages 


Vulnerability type 


Configuration management 


Security issue 


Application server not configured securely 


Security threat 


Stack traces in default error messages disclose application informa- 
tion that can be useful for a potential attacker 


Software security root cause 


Declarative setting in "web.config" file "custom Errors" set to Off 

<customErrors mode="Of f "/> 
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How to find the potential vulnerability Force the web server to errors. If errors server messages reveal im- 
portant information such as SQL exception errors and stack traces, 
custom errors are not turned on. For example an SQL exception er- 
ror disclose application information when custom errors are not 
turned on: 

[SqlException (0x80131904) : An error has occurred while 
establishing a connection to the server. When connect- 
ing to SQL Server 2005, this failure may be caused by 
the fact that under the default settings SQL Server 
does not allow remote connections . (provider : SQL Net- 
work Interfaces, error: 26 - Error Locating Server/ 
Instance Specified) ] 

Countermeasure Use declarative programming setting in "web.config" file and set 

"custom Errors" to On and "mode=RemoteOnly". All the errors unless 
explicitly specified will be brought to defaultRedirect i.e. 





myerrorpagedefault.aspx. a statuscode 404 will be shown 




myerrorpagefor404.aspx. 




<customErrors def aultRedirect="myerrorpagedef ault . aspx" 




mode="On | Off | RemoteOnly"<error statusCode="404" 




redirect="myerrorpagef or404 . aspx"/Xerror statusCo- 




de="500" 




redirect="myerrorpagef or500 . aspx"/X/ customErrors> 


Risk rating 


Low 



Table 3: Hard-coded Passwords 



Vulnerability 


Hard-coded passwords 


Vulnerability type 


Data protection in transit and storage 


Security issue 


Lack of adequate protection for secrets and other sensitive data 


Security threat 


Hard-coded hashed passwords can be recovered from source code 
and used by a malicious user to gain access to the application or to 
brute force the password (i.e. computing the hash of all possible 
passwords or a dictionary attack). 


Software security root cause 


Password hash is hard-coded in VerifyPwd API 

int VerifyPwd (String password) { 
if 

(passwd. Equals ("68af404b513073584c4b6f22b6c63e6b") ) { 

} return (0) 
return (1) ; } 




How to find the potential vulnerability 


Try to access source code (Java files) on the server side and verify if 
access controls (ACLs) are enforced to prevent access to the file. If 
source files are accessible the application is vulnerable. 


Countermeasure 


Use secure key storage such as CryptoAPI or Java Key Store for 
storing encryption keys and store password password's digests in a 
database. 


Risk rating 


High 


Table 4: Cross Site Scripting 


Vulnerability 


Reflected Cross Site Scripting (XSS) 


Vulnerability type 


Data Validation 


Security issue 


Lack of input and output validation when data crosses system or 
trust boundaries. 
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Security threat 


Invalidated input entered in the web application is not validated be- 
fore being reflected back to the client and can be run on the client 
browser potentially exposing the user. This kind of attack can be de- 
livered to the user via social engineering (e.g. phishing) by encour- 
aging the user to select a link to the web application that carries the 
malicious XSS script as part of the URL parameters. The malicious 
script can ue used tor stealing cooKies, session nijacKing ana any 
confidential data stored on the user's client browser. 


Software security root cause 


Data passed in the HttpServletRequest is placed into a " req" pa- 
rameter from user input without being validated. The same data is 
returned back to the servlet response without output validation/ 
encoding. 




import j ava . io . * ; 

import j avax . servlet . http . * ; 

import j avax . servlet . * ; 

public class HelloServlet extends HttpServlet 
{ 

public void doGet (HttpServletRequest req, HttpServle- 
tResponse res) throws ServletException , IOException 
{ 

String input = req.getHeader ("USERINPUT") ; 

PrintWriter out = res . getWriter ( ) ; 

out .println (input) ; // echo User input. 

out . close ( ) ; 

} } 






How to find the potential vulnerability Verify whether an application or web server will respond to requests 

containing simple scripts with an HTTP response that are executed 
by the user's browser. 




The attack vector can be a script to show sensitive information (e.g. 

cookie stored on the browser) in an alert. 

http: //server/cgi-bin/testcgi .exe?<SCRIPT>alert 

( "Cookie"+document . cookie) </SCRIPT> 


Countermeasure 


Perform input data validation using white lists (e.g. default deny) of 
unsafe characters and output encoding. When using .NET make 
sure that request validation is enabled as well as HTML encoding for 
the content to be displayed. 

<pages validateRequest=" true" ... /> 
Server . HtmlEncode (string) 

Enforce encoding in output to assure that the browser interprets any 
special characters as data and markup. HTML encoding usually 
means < becomes &it; , > becomes >, & becomes samp,-, and " 
becomes squot. 


So for example the text <script> would be displayed as <script> 
but on viewing the markup it would be represented by 

<script> 


Risk rating 


Medium 


Table 5: Application Fails Insecurely 


Vulnerability 


Application Fails Insecurely 


Vulnerability type 


Error Handling and Exception Management 


Security issue 


Failure to deal with exceptions effectively and in a secure manner, 
resulting unauthorized disclosure of information. 


Security threat 


The application fails leaving users in higher privilege state because 
of errors in the business logic that handles exception handling 
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Software security root cause 


zxception thrown in the try block by "ReadSecretFile" will bypass 
'LowerPrivilege" call. 

try{ 

ElevatePrivilege () ; 

ReadSecretFile () ; 
LowerPrivilege ( ) ; 
\ catch (Exception e) { 
iandleError (e) ; 
} 


How to find the potential vulnerability 


Jse automated code scan to identify incomplete exception error 
jiocks (e.g. iry-caicn wimout iinany). Manually review tne exception 
landling business logic to identify unsafe exception handing. 


Countermeasure 


When catching exceptions with try-catch always use finally block to 
-eset the original state of user permissions. 

try{ 

ElevatePrivilege () ; 

ReadSecretFile () ; 
\ catch (Exception e) { 
4andleError (e) ; 
Finally { 
jower Privilege ( ) ; 
i 


Risk rating 


High 


Table 6: Application Information Disclosure 


Vulnerability 


Application Information Disclosure 


Vulnerability type 


Logging and Auditing 


Security issue 


Failure to deal with exceptions effectively and in a secure manner, 
resulting unauthorized disclosure of information. 


Security threat 


The stack trace information displayed to the user as part of the ex- 
ception message can be used by an attacker to stage the next at- 
tack to the application. 


Software security root cause 


The exception error is sent to standard output 

try { 

/. . ./ 

} catch (Exception e) { 
e .printStackTrace () ; 
} 


How to find the potential vulnerability 


With white box testing, automatically scan source code for un-safe 
exception handling patterns. 

With black box testing, verify that the web application handles errors 
by displaying general information to the end user. Displaying excep- 
tion information such as stack trace and application information indi- 
cates un-secure exception handling. An example shown herein dis- 
play sensitive information such as JSESSIONIDs and IP addresses 

network: Connecting 

https : / / newtrade . sharekhan . com/ rmmweb/ applet/ Stream 
ingApplet/RTApplet . class with cookie 

" JSESSIONID=FG8c0kDgFywCCcc9nZNZJTmHPhv4pG4y2F2nv6W 
nLFbJPDGSX114 ! -506720403" 
network: Connecting 

https : / / newtrade . sharekhan . com/ rmmweb/ applet/ Stream 
ingApplet/RTApplet/class . class with proxy=HTTP @ 
/192. 168. 40. 7:8080 10:38:12:262: 
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Countermeasure 


Made exception information only be used as debugging information 
that is not part of production release code. Use Log4jl_ogger to log 
exception error messages securely: 

try{ 

/ / some code 

} catch (Exception ex) { 

logger . debug (exception . toString ( ) ) ) ; } 

i 
; 


Risk rating 


Low 


Table 7: Session IDs not marked secure 


Vulnerability 


Session IDs not marked secure 


Vulnerability type 


User and Session Management 


Security issue 


Lack of mechanisms to maintain session independence between 
multiple logged-on users and insecure user provisioning and de- 
provisioning policies. 


Security threat 


Cookies without the secure flag set can be sent by through a non 
SSL session (transverse the network unencrypted). 


Software security root cause 


Session cookies used by the application do not have the secure flag 
set to true. 

Cookie cookie = new Cookie ("TEST" , "TESTVALUE") ; 

cookie . setDomain ( "abc . def . com" ) ; 

cookie . setMaxAge (300) ; 

cookie . setPath ("/"); 

cookie . setSecure (false) ; 

response . addCookie (cookie) ; 


How to find the potential vulnerability With white box testing, automatically scan source code for cookie 

settings. 




With black box testing, verify that the cookie set by the server does 
not have the secure flag. 

Set-Cookie: name=newvalue ; expires=date ; path=/; 
domain= . example . org . 


Countermeasure 


Mark the cookies as secure so that they are transmitted only over 
secure (SSL) channel: 

Cookie secure = secure; .NET 
cookie . setSecure (true) ; (Java) 


Risk rating 


Low 



Marco serves as a leader of the OWASP (Open Web Application Security Project - owasp.org) where he con- 
tributed to write the OWASP Security Testing Guide. Marco and also works as Technology Information Security 
Officer for a large financial organization with key roles in defining the web application security roadmap and 
activities, document security standards and guidelines, perform security assessments for software security as 
well as training software developers and project managers on the software security and information security 
processes. In the past, Marco served as senior security consultant within a major security consulting company 
in USA where his responsibilities included providing software security services for several clients in the bank- 
ing, telecommunication, computers and financial business sectors. Marco also had a career in the software 
industry in diverse professional roles such as contractor, senior software engineer and project manager with 
responsibility to design and to develop business critical security software products for several FORTUNE 500 
companies as well for the US Government (i.e. NASA). 

Marco is active in publishing on the topic of software security for several professional organizations (ISSA, 
OWASP) as well as on his blog: http://securesoftware.blogspot.com. Marco can be contacted at 
marco.morana@owasp.org 
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Internet terrorist; does such a thing really exist? 

By Rkk La whom 



Recently, I have experienced an increase in organizations questioning how 
real is the threat of Internet terrorism and what they can do to protect them- 
selves. As a former CISO, this was one of the last concerns that crossed my 
mind, especially since it was a daily up-hill battle getting buy-in for the most 
basic security controls and services. 



The notion of worrying about the potential risk 
of terrorism against my organization seemed 
to be the lowest priority given the choices at 
hand. Ironically, terrorism today seems to be 
an emerging concern in the commercial world 
and many are actively pursuing methods and 
technology to help combat the problem. As a 
result, I began to research this trend to deter- 
mine its drivers and potential implications to 
information security as we know it today. 

I have been able to identify two main factors 
to date that play a part in the increased con- 
cern for businesses. 

Governments all around the globe are spend- 
ing vast amounts of money trying to track and 
contain internet terrorism. 

As former government security professionals 
are landing executive roles as CSO and CISO 
in organizations, the awareness and educa- 
tion about terrorism is increasing and the 
company is driven to investigate the threat fur- 



ther. Also, the news media is making Internet 
terrorism and the targeted attacks front-page 
news, which impacts a much larger audience. 
The combination of these factors propels 
companies and their leadership to ask the im- 
portant questions in order to determine the 
risk it presents, especially in the critical indus- 
tries like utilities and supply chains. 

To better understand this threat and its impact 
on organizations today requires some back- 
ground on how terrorism is defined. Once we 
have a definition laid out, we need to add the 
term "internet" to terrorism to gain an under- 
standing of how this changes the overall 
meaning and its impact. 

Each of us has a pre-conceived notion of what 
terrorism means. I am confident that your 
definition differs from mine since this is 
shaped by our personal environment and 
experiences. 
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I am also confident in saying that even though 
our definition of terrorism may differ, there are 
fundamental characteristics that we share in 
common. Today there is no universally ac- 
cepted definition of terrorism and countries 
define the term according to their own beliefs 
and to support their own national interests. In 
fact, it might be impossible to define because 
it is intangible and fluctuates according to his- 
torical and geographical contexts. Some forms 
of it are indistinguishable from crime, revolu- 
tion, and war. Even the US government is 
struggling with a consistent definition by evi- 
dence of the following chart: 

State Department definition, Title 22 of the 
U.S. Code, Chapter 38, Section 2656f(d): 



premeditated, politically motivated violence 
perpetrated against noncombatant targets by 
sub-national groups or clandestine agents, 
usually intended to influence an audience. 

FBI definition: the unlawful use of force or vio- 
lence against persons or property to intimidate 
or coerce a government, the civilian popula- 
tion, or any segment thereof, in furtherance of 
political or social objectives. 

Defense Department definition: the calculated 
use, or threatened use, of force or violence 
against individuals or property to coerce or 
intimidate governments or societies, often to 
achieve political, religious, or ideological ob- 
jectives. 



Today, there is no universally accepted definition of terrorism 
and countries define the term according to their own beliefs and 

to support their own national interests. 



United Nations definition: any act intended to 
cause death or serious bodily injury to a civil- 
ian, or to any other person not taking an active 
part in the hostilities in a situation of armed 
conflict, when the purpose of such act, by its 
nature or context, is to intimidate a population, 
or to compel a government or an international 
organization to do or to abstain from doing 
any act. Article 2(b) of International Conven- 
tion for the Suppression of the Financing of 
Terrorism, May 5, 2004) 

If we take all the three definitions and com- 
pare them, we can understand the govern- 
ments' intent in defining the actions and the 
basic fundamental characteristics of terrorism. 
Realistically, the lack of a solid, universally 
accepted definition and having to rely on in- 
tent is the first major strike against under- 
standing the threat. 

The first rule in being able to track a threat is 
to understand what that threat is and the 
characteristics that make up the profile. If we 
do not have this understanding up front, it will 
spur a great amount of activity for the least 
possible value in targeting Internet terrorism. 
With so many different definitions, you can 
start to understand the reason behind failures 
in the identification and of course, tracking 
and monitoring. 



In the interest of moving to the next phase in 
our discussion, let's assume that terrorism is 
defined as an unlawful use or threatened use 
of force or violence against people or property 
to coerce or intimidate businesses, govern- 
ments or societies. 

We can now tack on the term "Internet" to ex- 
plore how the definition changes and the im- 
pact of those changes on information security. 
By building the term "Internet terrorism", we 
are saying that violence and physical harm 
can be conducted electronically. Now I don't 
believe that this is the intent, but in essence 
layering intent upon intent has now diluted our 
definition. This causes confusion and forces 
us to lean upon our beliefs, environment and 
current situations to form a definition. This 
does not provide us with any greater capability 
in tracking or monitoring and just seems to 
muddy the waters even further. 

So how we identify the threat and what can 
we do to protect ourselves? Internet terrorism 
is really about two separate uses of the Inter- 
net. First, a terrorist can utilize the Internet as 
a vehicle to cause outages and denial of serv- 
ices with an overarching message to instill 
fear and to threaten physical harm. 
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From an information security point of view, we 
can readily understand this first point since we 
experience this noise today within on our net- 
works. The attacks are targeting our assets to 
cause electronic pain and fear with our Inter- 
net presence. But as we know, attacks that 
are conducted against our organizations can 
originate from many diverse groups with for 
different reasons. Former employees, com- 
petitors, or fraudsters can have justifiable rea- 
sons in their mind to electronically cause you 
pain or reputation harm. 

It becomes apparent that the campaign 
against Internet terrorism using the Internet in 
this fashion may stem from known terrorist in 
the real world who has conducted violent or 
harmful crimes to invoke fear. 

The challenge is to know when these seem- 
ingly "innocent" attacks actually become ter- 
ror. 



Does the act require a certain number of 
members, a certain political/ideological princi- 
ple, or a certain funding to be considered ter- 
rorism? Can one person be considered a 
terrorist? 

These are great questions that need a clear 
definition to gain the appropriate buy-in and 
funding within an organization. Since the ac- 
tivity and characteristics are not well defined, 
the message today will be a hard sell for in- 
formation security professionals and will get 
lost in the shuffle of shifting priorities. 

Likewise, when the terrorist begin to electroni- 
cally target organizations and prevent services 
from working, companies today would see the 
threat as noise since there is nothing that dis- 
tinguishes them from the rest of the pack. The 
challenge is determining how to distinguish 
the noise that is normally experienced from an 
actual terrorist activity. 



The attacks are targeting our assets to cause electronic 
pain and fear with our Internet presence. 



The second use of the internet by terrorist is 
their utilization of technologies to build and 
coordinate their activities such as recruitment, 
fundraising and data mining. The internet is 
the perfect tool to use for this activity since 
much of it is not regulated and there is ano- 
nymity that protects against identification. This 
helps terrorist build memberships and raise 
funding to further their cause and distribute 
their message to a wider audience. 

But can this equate to electronic violence or 
transform into physical harm? Each one of us 
use the internet for the same purpose, minus 
the terrorist intent, so tracking and monitoring 
are quite difficult to nail down without spilling 
over into our civil liberties as a whole. 

The perceived harm that can be identified is 
the ability to organize a group for the intent of 
personal or physical violence. In order for an 
organization to keep on top of this issue, it 
would require vast amounts of resources and 
capital to infiltrate each terrorist group and 
monitor their progress. This goes way beyond 
what any commercial organization would do, 
especially since many still require basic secu- 



rity controls and services. This type of request 
would certainly invoke some strange looks. 

Here is where the government steps in on the 
war on internet terror. The government has 
the funding and resources to concentrate on 
infiltrating the terrorist groups to provide the 
community greater insight into the problem. 

We know that the government's main concern 
is infrastructure and self-preservation so ter- 
rorist targeting one specific entity or business 
becomes secondary by default. Disclosure of 
the intelligence takes a considerable amount 
of time since the information has to be inter- 
preted and correlated against other informa- 
tion before being released. 

I have not experienced a mechanism or proc- 
ess that would release intelligence in a timely 
manner to a commercial business unless it 
was a matter of national security. Strike two is 
the inability, either by design or accident, to 
make the intelligence gathering and disclosure 
transparent and timely. 
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This seems to be the greatest gap in protect- 
ing our commercial industries from Internet 
terrorist today. The lack of communication, 
fear or retaliation coupled with the shear ex- 
pense prevents organizations from becoming 
the watchdogs for their respective industries. 
The terrorist seem to capitalize on this short- 
fall and use it to their benefit. 

There are many journals and white papers 
that clearly confirm that the internet terrorist 
community is becoming increasingly sophisti- 
cated and beginning to leverage technology to 
protect their interests. I find this is amazing 
considering the lack of a fundamental defini- 
tion to understand what we are monitoring, but 
I digress. 

Online session encryption and file encryption 
are being used to conceal information about 
activity and potential targets. They are build- 
ing redundant systems that have the ability to 
withstand constant bombardment of noise by 
other terrorist groups or disgruntled citizens. 

They are beginning to build highly dynamic 
services that can disappear, re-emerge to 



change locations quickly and easily. The con- 
tent on their sites is rich with multimedia such 
as movies or audio. They even implement se- 
curity controls to track and prevent their ver- 
sion of threats to their presence. 

As the use of technology sophistication con- 
tinues to grow, the less insight our govern- 
ments will have about their activities and po- 
tential targets. The small amount of informa- 
tion we could potentially access today is dry- 
ing up fast. We really need to open our eyes 
to this problem and build better methods to 
keep up or offset this threat growing into 
something much larger. We need to convince 
our governments that our society can be radi- 
cally impacted by the collapse of our commer- 
cial industries as well as our critical infrastruc- 
ture. 

Monitoring and active communication of 
emerging threats can further assist our indus- 
tries to prepare or prevent the attacks, given 
the time to react. Sure, the down side is over- 
reacting, but given that the majority of our 
businesses are on-line, I would enjoy the abil- 
ity and time to manage my reaction. 



As the use of technology sophistication continues to grow, 
the less insight our governments will have about their 

activities and potential targets. 



As information security professionals, we are 
limited in what we can do to offer physical and 
logical protection. We always have to balance 
the security control with the convenience fac- 
tor and no one wants to complicate any proc- 
ess that is suppose to generate revenue or 
get the revenue generators to their desks. 

In the physical security space, we have a few 
more choices in protective services that push 
the terrorist out further into someone else's 
yard, but we are still very limited in coordi- 
nated information sharing within our respected 
industries. In the electronic world, we can con- 
tinue to insist on the basic levels of security 
controls to detect and potentially prevent at- 
tacks, but it will always be perceived as Inter- 
net noise vs. terrorism until we accurately de- 
fine the risk. 



Let's return to how we identify the threat and 
what can we do to protect ourselves. We now 
know that there is no consistent method to 
define or track internet terrorism. We under- 
stand that the issue is extremely complex 
since the characteristics can change based on 
our environment and experience. We can now 
understand the government's role in being the 
watchdog for our critical national infrastructure 
and the government services, but this takes 
considerable resources and funding. 

We also know that our communication in both 
our local community and our global industry 
vertical is limited since the intelligence is not 
readily available to share. The message we 
are left with is that there is very little we can 
do until we define with certainty the meaning 
and characteristics of Internet terrorism. 



www.insecuremag.com 



42 



A great place to start would be to have the 
government develop a single definition that 
can be communicated to its agencies so that 
the right profile can be understood. 

Another key development would be to rebuild 
certain structures that gather intelligence to 
facilitate a greater level of communication to 
impacted industries. With a clear definition 
and greater communication, we can then be- 
gin to monitor and track certain behaviors that 
could be potential threats with greater accu- 
racy. 



Accuracy equates to a reduction in cost and 
resources, which can then be reinvested into 
greater communication and intelligence gath- 
ering. Sounds simple but my guess is that it 
will take a great amount of time to achieve, if 
we even achieve it at all. In the meantime, we 
are left with vague definitions, variable charac- 
teristics and a method of attack that blends in 
with the normal noise we see on the internet 
daily. 

It really does beg the question, does such as 
thing really exist? 



Rick Lawhorn (CISSP, CISA, CHSS, CHP, TCNP) is the Director of Information Security & Compliance at 
PlanIT Technology Group. Rick was the Chief Information Security Officer (CISO) for GE Financial Assurance, 
Chief Information Security Officer (CISO) for Genworth Financial and served in information technology leader- 
ship roles within Hunton & Williams law firm and the National White Collar Crime Center. He has over 17 years 
of experience in information technology and extensive security industry experience. Rick has been published 
in numerous domestic and international security magazines such as Information Security, SC Magazine and 
(IN)SECURE Magazine. In addition, he is serving on several advisory boards for new, innovative security 
products and has created a working group focused on developing meaningful metrics for CISOs. He can be 
reached at rick.lawhorn@mac.com or find him on the Linkedln network. 
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Organized web threat families pollute your PC for profit. 



The darker end of the spectrum gets much 
more complex. The economy in the darker 
end of the internet has multiple profitable lay- 
ers. Resellers of sensitive data, the latest vul- 
nerabilities and authors of toolkits are com- 
mon new ways of making a buck in the digital 
black-market. 



Just as personal computers and the Internet 
have become a regular part of our daily lives, 
so to have parasitic and malicious software. 
As the world has become more networked, 
vandal computer viruses of the early days 
have evolved into today's larcenous web 
threats. 



Simply put, web threats are malicious soft- 
ware programs such as spyware, adware, tro- 
jan horse programs, bots, viruses, worms, etc. 
that are installed on a PC without the knowl- 
edge or permission of the owner. These pro- 
grams utilize the internet to spread, hide, up- 
date themselves, and send stolen data back 
to perpetrators. They can be combined - for 
example, a trojan downloads spyware or a 
worm that is used to infect a PC with a bot. 

Another way to consider web threats is as the 
software of individual malware and adware 
enterprises. At one end of a spectrum these 
enterprises are fully-incorporated publicly- 
disclosed corporations. These include enter- 
prises such as Integrated Search Technolo- 
gies and Zango. 



Until recently, malware variants generally 
have been treated as separate individual 
threats. This comes from the legacy of self- 
propagating viruses and worms where a sin- 
gle variant can spread its vandalism world- 
wide within hours. 

In contrast, the economically-motivated web 
threats of today use different software as 
piece-parts of a singular web threat business 
model. This has led anti-malware threat re- 
searchers to group together individual web 
threats that serve the same malware enter- 
prise - regardless of differences in technical 
characteristics - see the table on the following 
page. 
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installed by: 



money from: 



operates by: 



does it protect itself? 



protected by: 



exploit 

unknowing consent 

lack full disclosure 

freeloader 

trojan 

worm 



adware 
trackware 
keylogger 
browser hijacker 
fraudulent changes 
fraudulent royalty 



browser helper 
object (BHO) 

browser toolbar 

layered service 
provider (LSP) 

application 

cookie 

dialer 



rootkit 

watchdog program 
mimicry 

polymorphic variation 



Non-virus web threats on client PCs typically have four components that together characterize the web threat 
business model. 



What emerges from these analyses is a much 
clearer view of the web threat economy. Web 
threat families are groupings of individual web 
threats and variants that serve the same mal- 
ware enterprises. Web threat families can 
consist of multiple pieces of software on indi- 
vidual PCs - each piece serving the malware 
business model in its own specialized way. 

Rather than counting up all the software 
pieces as individual infections or variants, it is 
more relevant just to consider whether a PC is 
infected by a web threat family or not. And un- 
like viruses, where the rate at which an out- 
break spreads is so important, web threats are 
best measured by what fraction of PCs are 
infected and how long they stay there earning 
money for their malware enterprise. As a re- 
sult, the relevant index of web threat families 
is the average proportion of PCs infected. For 
example, the Zango web threat family led all 



others, infecting on average 9.7% of all PCs 
throughout 2007. 

There is one small consolation in all this for 
defending PCs from the rising tide of 
economically-motivated web threats. While 
malware writers have almost infinite technical 
variations available to disguise and protect 
new malware, the web threat business model 
is far more constrained. Web threat behaviors 
associated with monetary gain are typically 
harder to disguise than the underlying tech- 
nologies for implementing them. 

This has helped threat researchers at Trend 
Micro identify the top perpetrators of web 
threat families that profit at the inconvenience 
and expense of PC owners and users. Trend 
Micro has designated the top twelve of these 
web threat families the "Dozen Demons". 
Here they are: 



1. 


Zango 


9.7% 


2. 


Hotbar 


7.0% 


3. 


Drivercleaner 


6.7% 


4. 


Winfixer 


6.1% 


5. 


Virtumundo 


6.0% 


6. 


WhenU 


5.7% 


7. 


IBIS 


4.9% 


8. 


Purity Scan 


4.6% 


9. 


Zlob 


4.5% 


10. New.net 


4.1% 


11 


. Softomate 


3.4% 



1 2. Starware / Comet 3.1% 



The proportion of PCs infected with a web threat family is based on weekly averages from HouseCall 
scans of 2.4 million PCs worldwide measured throughout 2007. Infections from identified web threat 
families accounted for 67% of all infections. 



www.insecuremag.com 



45 



1 . Zango - 2007 average proportion of PCs 
infected: 9.7% 

Zango software includes known adware and 
spyware typically required to access partner's 
games, DRM-protected videos and software. 
Zango's consumer website asserts that the 
company is "committed to creating a content 
economy built on a foundation of safe and 
ethical practices by protecting consumer pri- 
vacy while offering a fulfilling and high-value 
content experience." Zango content includes 
sports, comedy, dance, erotic videos, online 
games, and screensavers. Warner Bros, and 
others have been known to provide content, 
although Warner Bros, has terminated its 
business relationship with Zango after an on- 
line outcry. 

Zango Easy Messenger 

Undesirable behaviors associated with Zango 
Easy Messenger include: 

• automatically runs on startup 

• displays pop-up advertisements 

• installs adware. 

Zango Cash Toolbar 

• A number of user pages on the MySpace 
domain which have videos that look like they 
are from YouTube. The videos have an in- 
staller embedded within them for the Zango 
Cash Toolbar. When users click on the video, 
they are directed to a copy of the video, which 
is hosted on a site called Yootube.info. 

Third parties are paid by Zango to install 
Zango software without the required user con- 
sent. Zango's past features a remarkable se- 
ries of bad-actor distributors, from exploit- 
based installers to botnets to faked consent. 
Even today, some distributors continue to in- 
stall Zango without providing the required no- 
tifications and consents. 

Seekmo 

Seekmo is an adware program by Zango that 
claims to be a free tool to provide content 
such as mp3 files, screen savers and videos. 
Seekmo can pop-up advertisements even if 
you have a pop-up blocker on your computer, 
and will monitor your computer usage to gen- 



erate ads that you are more likely to respond 
to. 

2. Hotbar - 2007 average proportion of PCs 
infected: 7.0% 

Hotbar (also known as HbTools) is a plugin for 
Internet Explorer, Microsoft Office Outlook, 
and Outlook Express. Hotbar adds a toolbar 
and the option of extra skins to these pro- 
grams. It also allows the user to add emoti- 
cons to emails created in Outlook or Outlook 
Express or check the weather report. Its major 
revenue comes from the excessive use of 
pop-ups which are displayed according to a 
user's behavior and current URL. The applica- 
tion can show over 15 pop-ups a day, depend- 
ing on how much Internet browsing has oc- 
curred. 

Undesirable behaviors associated with Hotbar 
include: 

• bombards users with ads in pop-ups, web 
browser toolbars, Windows Explorer toolbars, 
auto-opening sidebars, and even desktop 
icons 

• failing to affirmatively show a license agree- 
ment. 

Originally independent, Hotbar has since been 
acquired by Zango. 

3. Drivecleaner - 2007 average proportion of 
PCs infected: 6.1% 

DriverCleaner is a program that is silently in- 
stalled by using an exploit or social engineer- 
ing. The program falsely claims the PC is in- 
fected and will not clean until you purchase 
the software. This threat is often installed 
along side the Vundo Trojan that holds posi- 
tion 5 on the dozen demons list. 

4. Winfixer - 2007 average proportion of PCs 
infected: 6.1% 

Winfixer is a program that is silently installed 
by using an exploit or social engineering. The 
program falsely claims the PC is infected and 
will not clean until you purchase the software. 
This threat is often installed along side the 
Vundo Trojan that holds position 5 on the 
dozen demons list. 
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5. Virtumundo - 2007 average proportion of 
PCs infected: 6.0% 

Virtumundo is a trojan that typically uses so- 
cial engineering tricks and silent install web- 
sites to get installed. Many have been ob- 
served to install fraudulent security software 
such as Winfixer or DriverCleaner. 

Also known as VirtualMundo and VirtuMonde, 
Virtumundo facilitates the spread of adware 
and spyware that results in large amounts of 
unsolicited pop-up advertisements. The threat 
regularly contacts predetermined web sites to 
receive ads and additional instructions. Virtu- 
Mundo is also bundled with spyware and 
advertising-supported applications that auto- 
matically run on every Windows startup. 

6. WhenU - 2007 average proportion of PCs 
infected: 5.7% 

WhenU, a popular adware company make an 
array of products such as Save Now and 
WhenU search. These products are installed 
by themselves as well as bundled with 3rd 
party applications such as screen savers and 
shareware. 

WhenU offers contextual advertising through 
their software. The software selects which ad- 
vertisements and offers to show you based on 
several factors, including which web pages 
you visit, search terms you use while search- 
ing online, the content of the web pages you 
view, and your local zip code (if you have 
supplied it.) 

WhenUSearch 

WhenUSearch is an adware application that 
creates a special desktop toolbar, monitors 
user Internet activity, collects details of per- 
formed web searches and serves marketing 
and advertising content. WhenUSearch can 
update itself via the Internet. The adware is 
bundled with ad-supported WhenU.com soft- 
ware. It can also be manually installed. Whe- 
nUSearch runs on every Windows startup. 

SaveNow 

SaveNow is adware that delivers relevant of- 
fers, coupons, and advertisements to you 
based on your web browsing habits. SaveNow 



may track which web pages you visit, the 
search terms you use while searching online, 
the content of the web pages you view, and 
your local zip code. This information may be 
used to base which advertisements and offers 
to show you. 

7. IBIS - 2007 average proportion of PCs in- 
fected: 4.9% 

IBIS are a company that distributed a toolbar 
that used several unique methods to make it 
difficult to be manually removed or cleaned 
with security software. This toolbar was dis- 
continued by Ibis LLC last year but still 
remains installed on many users machines. 

IBIS Toolbar 

IBIS Toolbar is a web browser toolbar that 
may redirect your search requests and display 
pop-up advertisements. IBIS Toolbar may 
monitor your Internet activity, including your 
search requests, websites you are visiting, 
products you are buying, and data you enter 
into forms. IBIS Toolbar may share this infor- 
mation with third party partners. IBIS Toolbar 
may also download and install adware without 
your knowledge or permission. IBIS Toolbar 
may prevent you from visiting various anti- 
spyware websites. IBIS Toolbar is typically 
distributed through pop-up advertisements 
and bundles with other spyware, such as Cy- 
door. 

8. Purity Scan - 2007 average proportion of 
PCs infected: 4.6% 

Purity Scan is a program that is supposed to 
scan your PC for pornography. This program 
has been installed with the use of exploits and 
social engineering tricks. Purity Scan is owned 
by Clickspring and is also known to go by the 
alias VirtuScope. 

PurityScan is a free tool that checks your 
computer for objectionable adult content. Puri- 
tyScan scans your computer files and Internet 
history for keywords that may hint at porno- 
graphic material. When it locates questionable 
content, it displays the URL, word, or file 
name in a display table so you may delete it. 
After installation, when you connect to the 
Internet PurityScan may also launch adver- 
tisements, and automatically update itself. 
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PurityScan upgrades may include the auto- 
matic installation of third party applications. 

9. Zlob - 2007 average proportion of PCs in- 
fected: 4.5% 

Zlob is commonly assigned to trojans that 
pose as video codecs on adult websites and 
have also been noted to spoof popular video 
services such as YouTube. These trojans 
have been noted in the wild to install fraudu- 
lent security applications as well as DNS hi- 
jackers. 

Zlob is a backdoor designed to give the at- 
tacker remote control over a compromised 
PC. It changes essential computer settings 
and modifies certain files. Zlob starts auto- 
matically on every Windows startup and hides 
its activities by injecting code into 
explorere.exe. It waits for remote connections 
and allows the attacker to download and in- 
stall additional software, execute certain 
commands and manage the entire computer. 
Zlob can be very dangerous. Use antivirus 
and malware removal tools in order to get rid 
of this spyware. 

Zlob Trojan installs many popular rogue anti- 
spyware programs, among them are lEDe- 
fender, AntiVirGear, SpyShredder, WinAntiVi- 
rus Pro 2007, Ultimate Cleaner and Se- 
curePCCIeaner. 

10. New.net - 2007 average proportion of PCs 
infected: 4.1% 

NewDotNet is a layered service provider to 
the TCP/IP stack that allows other domain 
suffixes besides .com such as .xxx and .shop. 
This application is commonly bundled with 
other software. 



NewDotNet is an Internet Explorer plug-in that 
sends a web browser to sponsored web sites 
whenever the user enters a non-existent or 
mistaken site address into the address bar. 
The threat can track user browsing habits and 
may show commercial pop-up advertise- 
ments. It is able to silently update itself via the 
Internet. NewDotNet is bundled with a variety 
of advertising-supported products. It also can 
be manually installed. The threat runs on 
every Windows startup. 

NDotNet is an adware program that associ- 
ates non-existent domain names with spon- 
sored content. When a user enters a keyword 
into a browser address bar or types a mis- 
taken or non-existent URL, the adware redi- 
rects the user to a sponsored page. 

11. Softomate - 2007 average proportion of 
PCs infected: 3.4% 

Softomate are a company that provides cus- 
tomizable toolbars. Some of the toolbars cre- 
ated are used in a malicious fashion and oth- 
ers are used for legitimate purposes. 

Softomate toolbars may change your browser 
settings and redirect your search requests 
through a parent server. Softomate may also 
monitor your Internet activity and habits and 
launch pop-up advertisements accordingly. 

12. Starware / Comet Systems - 2007 aver- 
age proportion of PCs infected: 3.1% 

Starware is an Internet Explorer toolbar with 
specialized search functions and a pop-up 
blocker. Starware Toolbar may display adver- 
tisements and redirect your search requests 
through their parent server. Bug fixes and new 
features may be added to Starware Toolbar 
without your notice. 



George Moore is a senior threat researcher at Trend Micro specializing in spyware and adware. He focuses on 
the methods by which Web threats surreptitiously install and protect themselves on user PCs as well as the 
organization and economics of malware publishers. 

Anthony Arrott is a special assistant to the CTO at Trend Micro. He manages threat analytics operations and 
threat data sharing agreements with outside organizations. 
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malware diagnostic tool originally developed by Merijn Bellekom. 
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Weaknesses and protection of your wireless network 

By Rob Faber 




The ease of use of wireless networks and being able to be connected every- 
where and at any time is a part of our lives. Unfortunately this also comes 
with some disadvantages. Properly protecting your WLAN, both at home and 
at the office, can be a challenging task. This time we dive a bit deeper into the 
known weaknesses, misconfiguration and protection of wireless networks. 



WiFi, WLAN, Wireless, GPRS, EDGE, 
HSDPA, UMTS, Bluetooth, are all technolo- 
gies that are used intensively in our world to- 
day, where information is available anywhere, 
at anytime. Wireless networks appear to be 
everywhere these days. You can find them on 
airports, in restaurants, at the office and of 
course at home. And the use of it will only in- 
crease in the coming years. However, the fact 
is that alongside all that freedom there are 
also several security issues that must be dealt 
with effectively. 

It should be made clear that there are some 
implementations out there today that don't 
even begin to address the starting points of 
information security. Despite the many 
breaches, warnings and recent headlines in 
newspapers, WEP (Wired Equivalent Privacy) 
for example is still being widely used today. 
Not only in a home environment but also 
within company networks. 



Security and hacking methods are continu- 
ously evolving and mean that there is a defi- 
nite need to stay informed. 

This time we'll take a look at sniffing and ana- 
lyzing WLAN traffic - working with Wireshark 
and AirPCap, and also how to better protect a 
WLAN with for instance EAP/TLS. 

Sniffing and monitoring a wireless network 

Sniffing, or catching packets on a wired ether- 
net network is relatively easy. Just plug in a 
network cable, install a packet sniffer on your 
laptop and start a capture while the network 
card is set to promiscuous mode. When it 
comes to wireless analysis however, the sniff- 
ing of traffic becomes more complicated. This 
is because wireless networks operate on mul- 
tiple channels, using different frequencies and 
broadcast in the open air. 
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Most wireless network cards support different 
modes of operation. Normal behavior in many 
cases will be the user connecting with a wire- 
less network card to an Access Point (AP). 
This is the so-called "managed mode". An- 
other option is to connect directly to another 
wireless device without using an Access Point, 
the so called "ad-hoc mode". The third option 
is the "master mode", where the wireless card 
can act as an Access Point to serve other 
wireless devices. This mode can be used for 
hacking purposes because the attacker is able 
to pretend to be a legitimate Access Point in 
your network, which - of course - it isn't. 

The final option is the "monitor mode". In this 
mode the wireless network card will just listen 
on a specific channel and then stealthily cap- 
ture packets. Naturally, the monitor station will 
not announce itself and will thus be com- 
pletely undiscoverable. 



Most Windows' drivers for wireless cards un- 
fortunately do not provide support for this 
monitor mode. So by using - for instance - the 
AirPCap adapter, it is possible to make use of 
this specific mode and listen to a channel 
while remaining "below the radar" and not in- 
terfering with other traffic. 

If you want to analyze wireless traffic, the first 
step is to find the channel or frequency used 
by another Wireless station, or the Access 
Point. You will then be able to eavesdrop on 
the conversation. With this information, it is 
possible to configure your wireless card to use 
the same channel and start collecting packets. 
Normally, a wireless card can only fully oper- 
ate on one frequency at a time. The Kismet 
and Cain tool both makes it possible to scan 
or "hop" around between different channels, 
just to check if communication is going on. 



WITH A NETWORK SNIFFER IT IS POSSIBLE TO ACTUALLY DISPLAY WHAT IS 

GOING ON IN THE AIR AROUND YOU 



Preparation: how to monitor WLAN traffic 

With a network sniffer it is possible to actually 
display what is going on in the air around you 
and catch the wireless networks and in this 
way identify security vulnerabilities such as 
weak encryption or authentication problems. 
The tools used in this article for ethical hack- 
ing also uses a wireless adapter with the spe- 
cial features described earlier. 

In this article we use the AirPcap adapter. In 
order to overcome the limitations of most wire- 
less drivers for Windows systems as dis- 
cussed earlier, CACE Technologies 
(www.cacetech.com) introduced a commercial 
product called AirPcap. It is a combination of a 
USB IEEE 802.11 a/b/g adapter, supporting 
driver software, and a client configuration util- 
ity. AirPcap provides a mechanism for captur- 
ing wireless traffic in monitor mode on Win- 
dows workstations. The adapter is ideal for 
this purpose and personally I like it because 
the ease of use. Other wireless cards can be 
used also such as from Atheros. You'll have to 
keep in mind that the wireless card (and 
driver) have to support monitor mode. See for 
yourself what you prefer. 



Sneaking into a wireless network 

There are several tools that can be used to 
sneak into a wireless network. An extensive 
list is available today and includes EtterCap, 
Kismet, Cain&Abel, Netstumbler, THC-RUT, 
Hotspotter, ASLEAP, THC-LEAPCracker, 
AirSnort, Airodump, HostAP, WEPWedgie, 
WEPCrack, AirSnarf, SMAC, AirJack, DSSniff, 
IKECrack and Nessus. Please note that this 
list is by no means exhaustive. Next we will 
discuss a couple of the better known tools 
placed within a scenario. This can be repre- 
sentative case to gather information and dis- 
cover vulnerabilities in wireless networks. 

I'll stress the fact that all I present to you only 
can be practised in a test environment or on 
your own network for ethical and legal rea- 
sons! 

Gather basic information using Kismet 

Kismet is a common used tool for site sur- 
veys. It features a little functionality that 
NetStumbler is missing: displaying Wireless 
Networks that are not broadcasting their 
SSID. 
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Access Points broadcast this information most 
of the time and Kismet will also detect and 
display SSIDs that are not being broadcast in 
the open. The first thing that you have to do is 
to get a clue on the wireless networks that are 
out there. To get this information fire up Kis- 
met. 

I sniffed around a bit and the result you can 
find in the next screenshot. You can see now 



that there are indeed networks active (and 
when I installed the external antenna of the 
AirPCap about 20 networks more showed 
up!). The next step then is to gather informa- 
tion about a specific network. Like this, it is 
possible to detect rogue APs easily in your 
business environment. Now you have to sort 
the networks presented on your screen (by 
pressing "s") so you'll be able to select one of 
them and get detailed information. 
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Figure 1 . Kismet presenting wireless networks. 



To have a better look now, select a (your!) 
network, highlight it and press "i". An example 
of the information that can be presented here 
you can find in the next screenshot. Presented 
are the SSID, the BSSID, the active channel 
and the encryption method currently used. If 
WEP or WPA PSK is used for encryption you'll 
know that because Kismet is presenting this 
information straight forward. Attackers will ul- 
timately use this like you did to get some weak 
spots and to possibly gain access to a net- 
work. 

Collecting information using Kismet, Cain 
and Airodump-ng 

The tool Cain & Abel from Oxid is a very so- 
phisticated password recovery tool that allows 



you to recover various kinds of passwords. On 
networks it works by collecting packets from 
the network and cracking encrypted pass- 
words by either using a dictionary, brute-force, 
or cryptanalysis attacks. With this tool it is 
possible to collect packets and then later on 
recover WEP keys. AiroDump is a tool that is 
part of the AirCrack suite. 

With AiroDump-ng the same basic features 
are presented that you can find in Cain only 
command prompt orientated. AirCrack-ng 
makes it possible to derive a WEP key. 
There are a couple of methods that can be 
used to crack WEP and WPA. Both are sup- 
ported in the mentioned tools. 
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Figure 2. Detailed information from Kismet. 
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Now that some basic information is available a 
hacker can set up an attack. It is possible to 
simply collect packets using Cain & Abel or 
Airodump-ng and use this information for 
offline analysis trying to uncover the WEP key 
being used or to capture a four way hand- 
shake in case of WPA-PSK and more actively 
start a hack. How? I'll show you. 

WEP vulnerabilities 

WEP uses the RC4 stream cipher for encryp- 
tion. RC4 is used for the confidentiality part 
and the CRC-32 checksum for integrity. 

Stream ciphers like RC4 are vulnerable if the 
same key is used multiple times. This is called 
collision in cryptography. One way to get 
around this problem is to use an initialization 
vector (IV). This IV is an extra added value 
(random) in the encrytion process. Combined 
with a secret master key the one-time key for 
the stream cipher is created. One of the many 
problems with WEP is that the IV is too short, 
24 bits. In this case of WEP it is possible that 
the same IV would be used more than once if 
thousands of packets were sent with the same 
master key. So by capturing enough packets it 
is possible to break the encryption method. 

The mainly used versions of WEP are the 64- 
bit with an IV of 24 and the 128-bit version 
with a 24 bit IV WEP uses in the 64-bit variant 
a 40 bit key together with a 24-bit initialization 
vector (IV). In case of 128-bit WEP the key is 
most of the times a string. Each character rep- 
resents 4 bits of the key. 4 x 26 = 1 04 bits. 



Together with the 24-bit IV will make the 128- 
bit WEP key. 

Cracking the WEP key requires interception of 
lots of transmitted packets and this will take 
quite some time. There are active attacks that 
stimulate the necessary traffic. In 2004 a new 
WEP statistical cryptanalysis attack method 
(KoreK) became available. The code and 
method is currently supported in Cain and 
AiroCrack-ng. This KoreK attacks changed 
everything. Before that a packet collection 
worked only well with lots of packets due to 
the fact that only certain "interesting" or 
"weak" IVs were vulnerable to attack. 

Kismet tells you how many of these packets 
have been gathered. If you use Kismet for 
network discovery and sniffing, it breaks down 
the packet count for you, displaying the num- 
ber of "crypted" packets separately from the 
total number, as shown in my screen capture 
on the right. 

It is now no longer necessary that millions of 
packets are required to crack a WEP key. In 
this attack method the critical ingredient is the 
total number of unique IVs captured, and a 
key can often be cracked with hundreds of 
thousands of packets, rather than millions. 

The number of packets required for success 
varies. To present some figures here: a mini- 
mum of 200,000 for a 64-bit WEP key and 
around 500,000 for a 128-bit WEP key. Only 
encrypted packets with unique IVs counts in 
this situation. 
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The weak spotsi attacks acjainst WPA 

WPA or Wi-Fi Protected Access is introduced 
to overcome some weaknesses of WEP. WPA 
ultimately provides every user with different 
keys or provides a dynamic generation of 
keys. In smaller offices or companies and at 
home the more complex and expensive 
802.1 1x will leave the choice to WPA-PSK. 
PSK stands for Pre Shared Key. 

The PSK provides an easily implemented al- 
ternative to generate a Master Key, This same 
principle is used in the more complex 802. 1X 
where there is also a generated Master Key. 
Within PSK a 256-bit key is used directly as 
the Master Key. The Pre Shared Key (PSK is 
most of the times a passphrase (also kept in 
the Access Point), the Master Key then is de- 
rived from this passphrase. 

Currently the method used to break the WPA- 
PSK is a dictionary attack at the four way 
handshake. 

The four way handshake 

When a wireless client tries to gain access to 
an access point (AP) there will be a little con- 
versation between the client and access point 
(AP). This is the so called "4-way handshake". 
The WPA handshake was designed to occur 
over insecure channels and in plain-text so 
the password is not actually sent across. 
There are some algorithms as described be- 
fore that eventually in the background turn it 
into a primary master key, PMK. 

The only step is to have a capture of a full 
authentication handshake from a wireless cli- 
ent and the AP. If you are lucky you will cap- 
ture a full handshake and at that time you can 
start a dictionary attack. Again: it can take 
some time to catch a full handshake. So we 
can force this behavior of an authentication 
handshake by launching a de-authentication 
attack. If the wireless client is already con- 
nected we can force the connected client to 
authenticate itself again by sending de-auth 
packets. 

The reaction of the OS of the wireless client 
will be to reconnect to the AP and thus per- 
forming the 4-way handshake! When we cap- 



ture the re-connect and authentication, it 
saves time so we don't have to wait for the 
wireless client to do it themselves. Now that 
we have captured the 4-way handshake and 
saved it, we can start AirCrack-ng to work 
offline with a dictionary attack. Most pass- 
phrases are simple, short and easy predict- 
able so in most cases there will be success! 

I showed you the weaknesses of WEP and 
WPA. That concluded the hacking part and 
brings us to the countermeasures and tools 
you can use to close the gates. 

Analyze traffic with Wireshark 

You can use the Wireshark protocol analyser 
to have a better look at the traffic and analyse 
it in an understandable way. Although there 
are other solutions on the market (for example 
Wildpackets with Omnipeek and Microsoft 
with Network Monitor and other commercial 
solutions) we chose to use this tool for this ar- 
ticle because of the perfect cooperation with 
the AirPcap. 

There is no doubt that Wireshark is a valuable 
tool. While this is open source software it can 
be downloaded instantly from their website 
(www.wireshark.org). It is possible to scan 
ethernet data and it comes with some exten- 
sive filtering capabilities. Of course, it can also 
be used to capture 802.11 traffic. 

For wireless traffic, Wireshark presents the 
"packet list pane" which will give you an over- 
view of all the packets captured (find it in fig- 
ure 5 under section 1 ). If you zoom in on a 
specific packet, you can find information about 
it in the "packet details pane" (section 2) and 
finally, you will find the raw bytes of the con- 
tents at the lowest part of the screen (section 
3). 

The IEEE 802.11 header can be found in fig- 
ure 6. As you can see, this is fairly complex 
and wireless frames can have additional pro- 
tocols appended to them. A lot of flags such 
as power management and encryption options 
can be set. By using specific filter options it 
becomes much easier to search for the spe- 
cific data you are interested in and likewise 
exclude traffic that isn't of interest. 
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Figure 5. The Wireshark screen. 



Protecting your wireless network: 802.1 X 

The 802. 1X standard provides the opportunity 
to carry out authentication and encryption 
based on certificates and that on mutual ba- 
sis. Public Key cryptography (PKI) shows up 
here! 

The 802. 1X standard has been developed to 
block or restrict access on a port. The moment 
a computer initiates a connection with, for ex- 
ample an Access Point (AP) in your network, 
there must be successful authentication be- 
fore there is a complete network connection. 
Until that point, protocols such as DHCP and 
HTTP are permitted. So all traffic will be 
blocked at the Data link layer of the OSI 
model. Actually, 802.1 1X is somewhat mis- 
leading due to the suggestion that it can be 
used purely for Wireless networks. This is 



however a misunderstanding and this solution 
is even more widely used in wired networks. 

PKI and wireless networks 

PKI or a Public Key Infrastructure can be used 
to centrally manage certificates. These certifi- 
cates can be enrolled and in this way they can 
be used to control access to the wireless net- 
work. As well as the authentication, there is 
also the opportunity to encrypt the network 
traffic. 

The protocol that we use in these cases is 
EAP-TLS. EAP-TLS works with X.509 digital 
certificates. EAP is the acronym for Extensible 
Authentication Protocol, where TLS is Trans- 
port Layer Security. EAP is the part of the pro- 
tocol that simply fills in the authentication gap 
that 802.11 has. 
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EAP-TLS 

In the whole process, there are roughly three 
parties involved. The supplicant requests ac- 
cess onto the wireless network. This can be a 
laptop computer with a wireless card. The 
authenticator is the one receiving that request. 
Most of the time this will be an AP or Access 
Point. And third, there is the authenticating 
service. This will be the server or appliance 
that processes the request and then decides if 
access is granted. As you can see, there is 
strict separation between the entry point in the 
network (AP) and the party that accepts or re- 
jects the request (authenticating services). If 
the authenticating service grants access, the 
supplicant can make a full connection to the 
network. 

There is no other possible traffic in the first 
stage of access. It is just traffic that is neces- 
sary for the authentication process. The 
authenticator will perform an EAP-request and 
ask the supplicant to identify itself. The an- 
swer will be passed to the authenticating 
server. The authenticating server then checks 
if the request is acceptable and access can be 
granted. If access is granted, the port will be 
opened for other traffic. Otherwise, the re- 
quest will be rejected and no access is possi- 
ble to the wireless network. The authenticating 



service will pass on to the authenticator the 
order to either open the network port or keep it 
closed. 

Within the EAP-TLS handshake, the authenti- 
cation service will exchange a digital certifi- 
cate with the wireless device. This is called 
"mutual authentication". Thus it is not only the 
wireless device that hands over a certificate 
but also the authenticating service (server). 

The steps in this process are almost the same 
as those found in setting up an SSL connec- 
tion to a web server (more specifically: be- 
tween a web browser and the web server). 
The server in this case also presents a certifi- 
cate. 

The SSL protocol is therefore the predecessor 
of TLS. If the procedure is successfully com- 
pleted, the wireless device is connected and 
receives a certificate from the authenticating 
service (server or appliance in most cases). In 
the event that the wireless device accepts this 
certificate (and this is what you want of course 
for your certificates) both partners accept 
communication. EAP-TLS now provides the 
opportunity to exchange the keys that will be 
used to set up an encrypted tunnel for safe 
communications. 
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How 
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In larger wireless networks with a lot of Ac- 
cess Points (AP's) and large numbers of 
workstations, the question arises as to how to 
manage all this effectively. Setting up all 
workstations with the proper configuration and 
rolling out the certificates can be a real disas- 
ter if it isn't automated correctly. In daily life, 
we want to be able to streamline this process 
as much as possible but still be sure that it is 
safe. 

Although a number of manufacturers have im- 
plementations of RADIUS, or support for 
802. 11X, we set about looking for a solution in 
combination with a Microsoft infrastructure. In 
this case, we made use of Internet Authentica- 
tion services (IAS) and the Microsoft Certifi- 
cate services. The main reason for this restric- 
tion in this article is that many companies will 
have a network in place, which is mainly 



based on Windows client computers. There 
are of course alternative solutions available 
such combinations or stand alone solutions 
from Cisco, Nortel or Blue Socket. It depends 
on the needs of the organization and architec- 
tural starting points. 

Initially, Microsoft IAS was frequently used to 
serve both authentication and authorization in 
a centralized way for users who make connec- 
tions into the network from outside the com- 
pany. But IAS can be used satisfactorily as a 
central authentication server within Wireless 
networks. The IAS server in this case must be 
incorporated in the same Active Directory do- 
main where the users and computers that 
want to make use of the wireless network can 
be found. IAS can then use data already pre- 
sent in the Active Directory database. This can 
be easy to do and yet less time consuming as 
most organizations will have set up an Active 
Directory. 
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Figure 9. Set up the use of certificates in Windows Vista. 
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In addition to the IAS/RADIUS solution, you 
also have to set up a PKI infrastructure. For 
this purpose, the Microsoft certificate server 
can be used to issue the X.509 digital certifi- 
cates needed for EAP-TLS. It is outside the 
scope of this article to discuss the installation / 
implementation of the PKI fully. Within the Mi- 
crosoft solution it is possible to automate the 
roll out of certificates to both workstations and 
the IAS/RADIUS, by making use of the so- 
called "auto-enrollment". This is possible be- 
cause the client computers and the IAS server 
are already members of the Windows domain 
and have therefore already established trust. 
It is possible to regulate a couple of settings 
on workstations by means of Group Policies. 
Windows XP and Windows Vista are out of 
the box supporting 802.1 X. 

Certificates themselves can be stored on the 
computer (but you have to protect the storage 
by, for example encrypting the hard drive). 
The fact that the TPM chip can also play a 
role in this as a Hardware Storage module 
(HSM) is new. Although the use of EAP-TLS is 
more complicated to initially configure and 
manage (although PKI is necessary and in it- 
self does have some challenges to cope with), 
at this time, EAP-TLS is the safest method for 
protecting wireless networks. 

General recommendations securing your 
wireless network 

Finally, here are some general recommenda- 
tions and best practices on how to secure 
your wireless network against common 
attacks. 

• Using WEP better than nothing at all but as 
a minimum 128-bit encryption. If your equip- 
ment supports it, just use WPA2 instead. 
WPA2 supports also AES encryption. 

• Ensure your WLAN is protected by using 
advanced authentication and encryption. If 
possible use mutual authentication which is 
supported by the 802.1 X standard (EAP/TLS). 
Relying on just MAC address filtering is cer- 
tainly not enough! 



• Use encryption so that any conversations 
sniffed by an intruder would be very difficult to 
break. When using a wireless hotspot, use 
SSL like solutions or IPSec VPN without split- 
tunnelling. If not, a concept of the Man in the 
Middle attack (MITM) can be used. 

• For smaller organizations. If you use WPA, 
get a very long and complex WPA pre-Shared 
Key. This type of key is much harder to crack 
by performing a dictionary attack. It would 
take much longer to do so. 

• If possible, don't use WPA with a Pre- 
Shared Key at all. Use a non vulnerable EAP 
type to protect the authentication and limit the 
amount of incorrect guesses it would take be- 
fore the account is locked out. If using 
certificate-like functionality, it could also vali- 
date the remote system that is trying to gain 
access to the WLAN and will not allow a rogue 
system to have access to the network. Be 
aware that the account lockout threshold is 
below the Windows lockout (or have another 
precaution taken), otherwise your whole en- 
terprise can be knocked out by just trying all of 
the accounts a couple of times! So check your 
configuration thoroughly! 

• Take the time to adopt the technology and 
to properly set up the infrastructure. Have the 
test lab review it before promoting it to produc- 
tion status. 

Conclusion 

Due to the wide adoption of wireless networks 
and their complexity, it is recommended that 
you take the necessary measures to prevent 
the loss or disclosure of sensitive information 
to the public. Not only is this a concern for you 
and your company but it can also be part of 
local legislation! 

Take this seriously because it is the main en- 
trance point to the companies' infrastructure. 
Wireless LAN can be secured, but it takes 
time to make important decisions. It wouldn't 
hurt to have some kind of review undertaken, 
to check out what is going on in your network. 
This can be done by either making use of a 
tool like Wireshark, or by hiring an expert to 
perform an audit or ethical hack. 



Rob P. Faber, CISSP, CEH, MCTS, MCSE, is an information security consultant. He currently works for a 
global company and international IT services provider in The Netherlands. His specialization and main areas of 
interest are Windows Platform Security, Ethical Hacking, Active Directory and Identity Management. He main- 
tains a weblog at www.icranium.com and you can find him on Linkedln network. 
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Fraud mitigation and biometrics following Sarbanes-Oxley 

By Paul Sheldon Foote and Reena Hora 



Your company might be compliant, but you are still exposed to fraud. 



The old days of external auditors claiming that 
they are not responsible for detecting fraud 
and of managements depending upon man- 
agement letters from external auditors for 
learning about weaknesses in their internal 
control systems have changed with the en- 
actment of the Sarbanes-Oxley Act (SOX). 

Following SOX, external auditors, corporate 
attorneys, directors, and managements of 
large companies have legal obligations to 
mitigate fraud. Just as it is smart to use seat 
belts in automobiles regardless of local legal 
requirements, it is smart to use biometrics to 
improve internal controls and to mitigate fraud 
regardless of whether companies are large 
enough to be subject to SOX or to other man- 
datory laws, regulations, standards, or to 
codes. Laws represent minimum standards. 
Companies may still suffer large losses from 
frauds even if their internal control systems 
meet minimum standards. 

Accounting frauds and scandals 

The numbers and sizes of major accounting 
frauds and scandals became so excessive 



that Congress passed and President George 
W. Bush signed the Sarbanes-Oxley Act 
(SOX) of 2002. For general summaries of 
SOX, see tinyurl.com/2b5t3j. 

Lawsuits and criminal cases 

Investors and other third parties who have re- 
lied upon managements' representations and 
certified financial statements have sought to 
recover their losses in the courts. As experi- 
ence with SOX and court cases develop, there 
will be a better understanding of who will be 
held responsible for accounting frauds, scan- 
dals, and internal control failures. 

Lawsuits against external auditors, corporate 
attorneys, directors, and managements will 
provide evidence of what needs to be done to 
correct these failures. There can be several 
legal cases related to the same loss because 
parties may file cross complaints against each 
other. 

However, there are steps corporations should 
be taking now to mitigate future frauds. 
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Lawsuits against external auditors 

Over time, court decisions have expanded the 
types of third party users of certified financial 
statements. 

In Ultramares v. louche & Co. (1931), the 
court held that auditors may be held liable for 
ordinary negligence to a third party - provided 
that the auditors were aware that their certified 
financial statements would be used for a par- 
ticular purpose by known parties. 

More recent cases have moved from the 
known user approach to a foreseen user ap- 
proach. For example, in Williams Controls v. 
Parente, Randolph, Orlando & Associates, 39 
F. Supp. 2d 517 (1999), the court held that 



auditors could be liable to a purchaser of a cli- 
ent's business even if the auditor did not know 
at the start of the audit who the purchaser 
would be. 

In New Jersey, in Rosenblum v. Adler (1983), 
the court extended the liability of auditors to 
any third parties the auditors could "reasona- 
bly foresee" as recipients of certified financial 
statements for routine business purposes. 
[Whittington, O. Ray, and Kurt Pany, Principles 
of Auditing & Other Assurance Services, Six- 
teenth Edition, McGraw-Hill Irwin, 2008] 

Certified public accountants will not be able to 
continue to accept financial audit engage- 
ments unless corporate managements miti- 
gate the possibilities of frauds. 



It is not realistic to expect that companies will be able to make no improvements 
in their internal control systems and to buy enough insurance 

to cover all possible losses in legal cases. 



No insurance coverage 

It is not realistic to expect that companies will 
be able to make no improvements in their in- 
ternal control systems and to buy enough in- 
surance to cover all possible losses in legal 
cases. For example, one international public 
accounting firm paid $6 million to defend suc- 
cessfully a lawsuit involving a client with 
$20,000 annual audit fees. At least one major 
insurance company has responded by refus- 
ing to insure accounting firms for legal liabili- 
ties. [Whittington, O. Ray, and Kurt Pany, Prin- 
ciples of Auditing & Other Assurance Services, 
Sixteenth Edition, McGraw-Hill Irwin, 2008] 

Directors and officers have relied upon the 
availability of errors and omissions (profes- 
sional liability) insurance. 

Sarbanes-Oxley act (SOX) 

For a long time, external auditors attempted to 
defend themselves in fraud cases by claiming 
that the purpose of a financial audit (as op- 
posed to a fraud audit) is not to detect fraud. 
Sections 302, 404 and 906 of the Sarbanes 
Oxley changed the responsibilities of corpo- 
rate managements and of auditors with re- 
spect to fraud mitigation. 



Section 302 mandates corporate responsibil- 
ity for financial reporting and internal controls. 
It requires the CEO and CFO to certify that 
they have reviewed the report for the periodic 
filing and that the financial statements and 
disclosures in all material aspects truly repre- 
sent the operational results and financial con- 
ditions of the company. [Sarbanes-Oxley Act 
Section 302. Retrieved September 2007 from 
tinyurl.com/2xgs7u] 

Section 404 requires management's assess- 
ment of internal controls. It requires each an- 
nual report filed with SEC to contain a report 
on its internal controls. This report should 
state management's responsibility to establish 
and maintain internal control procedures for 
financial reporting and also assess the effec- 
tiveness of these internal controls. A regis- 
tered public accounting firm needs to evaluate 
management's assessment of their internal 
controls. [Sarbanes-Oxley Act Section 404. 
Retrieved September, 2007 from 
tinyurl.com/2dauws] 

Section 906 increases corporate responsibil- 
ity for financial reporting by requiring the chief 
executive officer and the chief financial officer 
to certify financial statements filed with SEC. 
These certifications must state compliance 
with Securities Exchange Act and also state 
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that all material aspects truly represent the 
operational results and financial conditions of 
the company. [The Sarbanes-Oxley Act of 
2002. Retrieved September, 2007 from 
tinyurl.com/2af3lx] 

CRIMINAL PENALTIES - Whoever - 

"(1) certifies any statement as set forth in sub- 
sections (a) and (b) of this section knowing 
that the periodic report accompanying the 
statement does not comport with all the re- 
quirements set forth in this section shall be 
fined not more than $1 ,000,000 or imprisoned 
not more than 10 years, or both; or 

"(2) willfully certifies any statement as set forth 
in subsections (a) and (b) of this section know- 



ing that the periodic report accompanying the 
statement does not comport with all the re- 
quirements set forth in this section shall be 
fined not more than $5,000,000, or imprisoned 
not more than 20 years, or both.". 

To comply with the Sarbanes-Oxley Act, cor- 
porations need to improve documentation and 
internal controls for financial reporting. These 
internal controls need to be tested and moni- 
tored to make financial reporting transparent. 
Management is required to provide a report on 
its internal controls. An independent auditor 
has to evaluate management's assessment of 
its internal controls and provide a report. Thus, 
the external auditors now have added respon- 
sibility for fraud mitigation. 



To comply with the Sarbanes-Oxley Act, corporations need 
to improve documentation and internal controls for financial reporting. 



SOX compliance requirements for 
management 

1 . Assess risk and design controls 

2. Segregate duties 

3. Place internal controls for processes and 
system access 

4. Monitor controls and follow up to check if 
controls are in place. 

5. Document and test the controls 

6. Management has to provide a report on its 
internal controls. 

7. An independent auditor has to evaluate 
management's assessment of its internal con- 
trols and provide a report. 

DuPont's 10-K report filed in 2005, 2006 & 
2007 includes Management's Reports on Re- 
sponsibility for Financial Statements and In- 
ternal Control over Financial Reporting. 

These show DuPont's management reports on 
its internal controls for financial reporting for 
SOX compliance. The 10 K report also in- 
cludes independent auditor Pricewaterhouse- 
Coopers LLP's report on their evaluation of 
management's assessment of their internal 
controls. 

These certifications are examples of SOX 
compliance. 



Public Company Accounting Oversight 
Board (PCAOB) 

The Sarbanes Oxley Act of 2002 created the 
Public Company Accounting Oversight Board 
(PCAOB) for setting auditing standards for 
public companies. Smaller companies con- 
tinue to use Statements on Auditing Standards 
from the American Institute of Certified Public 
Accountants (AICPA). 

On July 25 2007, the SEC approved PCAOB's 
Accounting Standard No 5 "An Audit of Inter- 
nal Control over Financial reporting That Is In- 
tegrated with an Audit of Financial State- 
ments" ["PCAOB's New Audit Standard for In- 
ternal Control over Financial Reporting is ap- 
proved by the SEC". Date: July 25, 2007. Re- 
trieved September, 2007 from 
tinyurl.com/2fl2gr] 

All registered audit firms will be required to 
use this standard for their audits of internal 
controls. 

Statements on Auditing Standards (SAS) 

In November 2002, in the wake of the ac- 
counting scandals, the Auditing Standards 
Board issued SAS 99 "Consideration of Fraud 
in a Financial Statement Audit". 
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SAS 99 supersedes SAS 82. It gives the audi- 
tor more guidance to detect material mis- 
statements due to fraud in financial state- 
ments. [CPAs' Perceptions of the Impact of 
SAS 99" Authors: Donald C. Marczewski and 
Michael D. Akers. Source: The CPA Journal. 
June 2005 issue. Pg 38. Retrieved September 
2007 from tinyurl.com/2ttzv6] 

Case study: DuPont fraud 

In the DuPont fraud case, Gary Min, a former 
employee who worked as a research chemist 
at DuPont stole trade secrets from DuPont 
valued at $400 million. He had accepted em- 
ployment with rival firm Victrex in 2005. After 
accepting the employment, he continued to 
work with DuPont for a few months and down- 



loaded 1 80 confidential papers and thousands 
of abstracts from the DuPont server and in- 
tended to use this confidential data in his new 
post. Most of this data was unrelated to his 
work. 

When he resigned from DuPont, his unusually 
high usage of the server hosting DuPont's 
technical documentation was detected. Victrex 
cooperated with DuPont and seized Min's lap- 
top and handed it over to the FBI for investiga- 
tion. Min later admitted to misusing DuPont's 
trade secrets. ["DuPont chemist pleads guilty 
to IP theft." Computer Fraud & Security. Vol- 
ume 2007 issue 3 March 2007, pg 3 Re- 
trieved online from Science Direct database in 
September 2007 - tinyurl.com/378gmr] 



In the DuPont fraud case, Gary Min, a former employee who worked 
as a research chemist at DuPont stole trade secrets 
from DuPont valued at $400 million. 



Sarbanes-Oxley compliant yet exposed to 
fraud 

DuPont's 10-K report filed in 2005, 2006 & 
2007 includes CEO & CFO's certifications of 
the financial statements filed with SEC stating 
compliance with Section 13 (a) of Securities 
Exchange Act of 1934 and also stating that the 
report fairly represents in all material aspects 
the financial condition and results of opera- 
tions of the company. Their 1 0 k reports also 
include Management's Reports on Responsi- 
bility for Financial Statements and Internal 
Control over Financial Reporting. 

These show DuPont's corporate responsibility 
for financial reporting and their internal con- 
trols. These were assessed and certified by 
public accounting firm PricewaterhouseCoo- 
pers LLC as seen in their 10-k report. Thus, 
DuPont complied with SOX. This compliance 
did not eliminate their exposure to fraud by 
internal security threats. 

This fraud could have been mitigated if bio- 
metrics were used at DuPont for internal con- 
trols. The confidential data access should 
have been restricted to certain users by using 
biometric computer authentication instead of 
passwords for computer authentication. Min 
should have had access after biometric 



authentication to only data related to his re- 
search. DuPont could have used various lev- 
els of biometrics authentication to grant ac- 
cess to users accessing the confidential data. 
As this was unrelated to Min's work, Min 
would not have access to this confidential 
data. This would prevent unauthorized users 
from accessing the trade secrets. 

The report of who accessed or tried to access 
this server would have shown that Min tried to 
access this data and would have authorities at 
DuPont investigate Min's intentions. Biomet- 
rics authentication could have saved DuPont 
the risk of losing confidential data to rival firms 
and also have saved them the expense of go- 
ing through a court case to protect their intel- 
lectual property. 

Biometrics: an identity management and 
fraud mitigation solution 

Accounting frauds perpetrated by high-level 
managers of major companies prompted the 
passage of the Sarbanes-Oxley Act. These 
accounting frauds were possible because of 
weak internal control systems and of external 
auditors claiming that financial audits were not 
designed to detect frauds. The DuPont case 
shows that there are reasons beyond account- 
ing frauds for strengthening internal control 
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systems. A single employee accessing trade 
secrets can cause hundreds of millions of dol- 
lars of losses for a company lawsuits, and de- 
clines in the value of a company's stock. 

According to a 2006 study by Association of 
Certified Fraud Examiners, 25% of internal 
frauds caused at least $1 million in losses per 
incident. The first single incident median loss 
was $159,000 and in over 9 cases the internal 
fraud cost the company over $1 billion. [ACFE 
(Association of certified Fraud examiners) 
2006 Report to the nation on Occupational 
Fraud. Retrieved September 2007 from 
tinyurl.com/3bkzuy] 

Frauds cannot be completely eliminated, but 
controls can be put in place to minimize 
frauds. A company has to have tighter controls 
over the user's system access rights, limit ac- 
cess to sensitive data based on user role, and 
monitor who tried to access sensitive data. In- 
stead of using a weak password control sys- 
tem, companies need to be using a user ac- 
cess authentication system with these charac- 
teristics: unique identification of each user and 
controls extending to the transaction and field 
levels. 



forcement an "open system" is used where 
law enforcement authorities scan a finger with 
an optical sensor and store an entire image of 
the finger (mostly all fingers) in the national 
IDENTor AFIS database. This enables all law 
enforcement authorities to check fingerprints 
against those templates. 

Biometrics for computer authentication can 
protect the privacy of users of the system 
while still identifying uniquely the users. A pro- 
prietary binary template (01 110101 01 0) con- 
sisting of a unique set of numbers is created, 
not an optical scan of the fingerprint. 

While a few laptop computers had fingerprint 
sensors already in the late 1 990's, every major 
laptop manufacturer offers now at least one 
model with a built-in fingerprint sensor. With 
the astonishing improvements in the sensor 
technology, manufacturers have switched from 
a larger touch sensor to a smaller and much 
more secure swipe sensor. They favor the 
proven swipe sensor from biometric leader 
UPEK. Built-in fingerprint sensors, together 
with hard drive encryption, were the top 2 re- 
quirements from corporate America for laptop 
manufacturers. 



Biometrics 

Biometrics can provide this solution. Biomet- 
rics uses certain characteristics of a person 
such as fingerprints, retinal pattern, or even 
speech pattern to uniquely identify a person, 
grant access for an authorized user and 
clearly reject unauthorized users. Biometrics 
for computer authentication is different than 
biometrics for law enforcement. For law en- 



[Notebook with a built-in fingerprint sensor". 
Author: Jean Francois Manguet. Retrieved 
September 2007 from tinyurl.com/25rczj] 

A company does not need to wait until the 
next round of computer purchases to imple- 
ment biometrics solutions. Inexpensive USB 
add-ons using UPEK sensors are available 
from UPEK and from The Cherry Corporation. 
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Fraud mitigation in an SAP Environ- 
ment using bioLock 

Security risks 

A major reason for the popularity of SAP R/3 
with corporations is the fact that SAP inte- 
grated most of the data of a company across 
most or all of the departments. While corpora- 
tions need integrated data, individual users of 
computer systems should not be able to ac- 
cess data for which they lack authorizations. 
Internal control systems must have segrega- 
tion of duties. The Sarbanes-Oxley Act formal- 
ized the legal requirements for corporations 
and for external auditors. 

SAP is all about business processes and roles 
assigned to users for these processes. This 
ensures segregation of duties. SAP has a 
report-generating feature which generates re- 
ports of who performed which transaction 
when. So, this does seem like it is complying 
with SOX. Is this enough, however, to mitigate 
fraud? 

1 . The system gives access to users with 
passwords which match the approved user 
profile. Anyone having access to this pass- 
word can basically log on to SAP and perform 
the desired transaction. 

2. SOX requires segregation of duties. SAP 
provides that with allowing access to certain 
transactions to restricted users with prede- 
fined roles having their passwords. Is this 



really secure? Anyone who has access to the 
username and password can easily perform 
the transaction. This defies segregation of du- 
ties. 

Basically, a user can log on to the SAP system 
perform a transaction and use another pass- 
word and username to perform another trans- 
action. It is very easy for User A to get access 
to a username and password of User B and 
perform a Sales transaction and then to get 
User C's username and password and per- 
form a financial transaction. The SAP report 
would show that User B and User C have per- 
formed the transaction when User A has per- 
formed the transaction. User B and User C are 
completely innocent. 

Another scenario would be that User B logs on 
to SAP and leaves his desk to make a few 
photocopies. Meanwhile, User A goes to User 
B's desk and performs a financial transaction 
before User B returns. Poor User B has no 
idea what just happened, but the transaction 
report would report User B as having per- 
formed that transaction. It is impossible to 
track, which "actual" person accesses or 
changes critical information 

3. Business partners and outsourced compa- 
nies have access to SAP. Many processes 
and audits are being outsourced. This would 
give the users from an outsourced company or 
external consultant's access to company data. 
Sometimes, business partners and vendors 
also have access to the company SAP 
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system. This makes the system more vulner- 
able to security threats. With increasing 
globalization, many employees access critical 
information from different parts of the world. 

All of the above shows that the SAP system, 
or any other ERP system using only pass- 
words, does not provide adequate fraud miti- 
gation or possibly even compliance with SOX 
sections 302 and 404. 

The historically accepted flaws in security 
completely defy the internal controls and seg- 
regation of duties required by SOX. Everything 
has changed since the invention of computers 
including programming languages and plat- 
forms, but one thing which has not changed is 
the most critical factor: security. We still use 
the same old way of usernames and pass- 
words for security. This is just an illusion of 
security. 

There are many ways to discover passwords, 
ranging from casual coffee conversation to 
more sophisticated software which grabs 
passwords. If the password requirements get 
more complex, to increase security people 
usually write down this password someplace 
so that they do not forget the complex pass- 
word. Whoever has access to this written 
password is a security threat. 
[www.fraudmitigation.com] 

Another easy way to access passwords is 
small cameras that now are built in cell 



phones, pens, and buttons. Someone can re- 
cord a password and play it back slowly to see 
what the password was. Even if you cannot 
play the password back, you can determine 
the password. 

To view a demonstration of this, visit the fol- 
lowing educational website 
www.showpasswordsthefinger.com and see if 
you can figure out the password in the video. 
It is quite easy to determine what she is typ- 
ing. The following link shows how truly dan- 
gerous it is to use only passwords for security: 
tinyurl.com/3x6a5r. 

Realtime has used biometrics to create bi- 
oLock. The bioLock system is currently the 
only biometrics system certified by SAP for 
use with SAP's systems. 

bio Lock provides 3 levels of security in an 
SAP environment 

1 . Firstly, the user will have to provide finger- 
print identification to get access into the SAP 
system. 

2. Secondly, bioLock controls can be installed 
at certain transaction levels requiring finger- 
print verification before allowing the transac- 
tion. For example: A company's balance sheet 
has sensitive data and the access to this can 
be restricted to authorized personnel. So, 
whoever tries to view the balance sheet will be 
asked for fingerprint authentication. 



SAP 



Language 




bioLock 
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identified user is : PAUL FOOTE 



If someone who does not have access to this 
balance sheet tries to view this balance sheet, 
the system will kick them out and also log that 
they tried to access the system to view the 
balance sheet. Unlike the Enron case, this 
system can also provide evidence in court 
cases if the executive management had 
viewed the balance sheet in case of fraud. 

3. Thirdly, the security can be further tightened 
by requiring fingerprint authentication at the 
individual field level. For example: Something 
as secure as a wire transfer can be set to re- 
quire a fingerprint authentication if the amount 
to be transferred is more than $10,000. If any 
amount more than $10,000 is entered in the 
field, then the system would automatically re- 
quire fingerprint authentication. 

To add security, the wire transfers could be set 
to require dual fingerprint authentication which 
would require an additional designated person 
to approve the wire transfer. 



bioLock can create a log of who accessed or 
tried to access the system and of who per- 
formed or tried to perform certain transactions 
within SAP. It even has a feature of 911 alerts 
wherein you can designate a finger as your 
911 finger and use it if somebody forces you to 
perform a transaction. This will immediately 
alert security. 

The report on the following page shows that 
using bioLock no one can logon as a different 
user. The report gives the following details. 

When SAP user Paul (bioLock-User Column) 
tried to log on as Reena (SAP User / User 
Name Column to the left) the system identified 
him and denied access. When user Reena 
tried to logon as herself the system uniquely 
identified her and allowed system access to 
release a purchase order of $40,000 car. 
When user Reena was away and another uni- 
dentified person who didn't even have a 
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biometric template tried to access the pur- 
chase order on user Reena's computer, the 
bioLock could not identify the stranger and re- 
jected him. When user Paul tried to access the 
system as himself, the system uniquely identi- 
fied him and granted access. When user Re- 
ena tried to create a Purchase order on this 
computer the system rejected her. The report 
shows next Thomas logged on as administra- 

Call bioLock Protocol and System-Log 



tor and accessed the bioLock transaction. The 
next line shows that Paul opened the balance 
sheet transaction. Next, Reena tried to view 
this balance sheet and as this was protected 
by bioLock the system identified her and de- 
nied access to the balance sheet. The last line 
shows Paul opened the balance sheet trans- 
action again. 
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A report like this gives details of who tried to 
access the system and performed or viewed 
which transaction. This can prove which offi- 
cers and managers looked at certain financial 



statements or documents. This report can be 
used as evidence in court cases of who ac- 
cessed the financial and other documents and 
performed which tasks. 
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The above report shows that Reena was iden- 
tified but rejected as she tried to perform a 
wire transfer on computer which was logged 
on as SAP user Paul. Next the report shows 
that SAP user Paul tried to make a wire trans- 
fer above a certain amount which had an in- 
ternal control requiring biometric confirmation. 
The report also shows that SAP user Thomas 
who was logged in as SAP ALL administrator 
tried to access the bioLock transaction. The 
next line shows that SAP user April confirmed 
Thomas's request for the bioLock transaction. 
For extremely critical task two different people 
and their biometric authentication can be re- 
quired to perform a task. This ensures the 4- 
eye principle within the SAP system. 



The next to the last line shows that an unau- 
thorized user who was not their employee 
tried to make a wire transfer on Paul's com- 
puter which was logged onto SAP. AS the sys- 
tem did not recognize him, he was rejected. In 
a desperate attempt, the intruder forces Re- 
ena to execute the wire transfer for him on 
Paul's computer. Reena reacts calmly and 
uses her separately enrolled 911 finger for 
authentication. This system rejects the task 
visible for the intruder, but notes in the log file 
that a "911 finger" was used to alert authorities 
about a known security breach. An automated 
scanner could alert security when a 911 is 
posted in the log file. 

This report demonstrates how a sensitive 
transaction, such as a wire transfer, 
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E&Dual Authentication Necessary 
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is protected by bioLock and will also provide 
evidence in a court case. 

Using a technology like bioLock provides true 
segregation of duties and internal controls as 
the system uniquely identifies each user and 
only allows certain users access to sensitive 
data or transactions. All users in a company 
do not need to have a bioLock controlled ac- 
cess. Only certain users having access to 
sensitive data can be set to access the critical 
data using bioLock. Once the sensitive trans- 
actions are locked by access to restricted us- 
ers by bioLock all other users are automati- 
cally filtered out and blocked from accessing 
the sensitive data. For the first time, the busi- 
ness can clearly define a simple "invitation 
only" list for certain transactions and users. 
bioLock will ensure that no other actual users 
will access the protected functions. bioLock 
packages are available with as low as 50 us- 
ers and can be available for as many users as 
required. A complete installation package 
starts under $100,000 and would go up de- 
pending on the number of users. This will pro- 
vide evidence in case of a court case and also 
make it very transparent to auditors. This will 
truly make SAP compliant with SOX. 

In the DuPont case, the company's manage- 
ment did not detect Min's unusually high activ- 
ity on the server with the intellectual property 
until he resigned. The management did not 
have effective internal controls securing ac- 
cess to the server. They could have set con- 
trols which would flag the authorities if there 
was such unusual activity. They could have 
purchased a bioLock package of 1 ,000 seats 
protecting their top 1 ,000 users with access to 
their various departments including finance, 
human resources, research to name a few. 
This would have cost them a few hundred 



thousand dollars, a small price to protect their 
intellectual property, image, stock price and 
hassles of a court case. This would have miti- 
gated the risk of losing $ 400 million of intel- 
lectual property. If DuPont had lost millions of 
dollars, there would have been shareholder 
lawsuits. Using bioLock, they could have re- 
stricted scientists such as Min's access to a 
small reasonable part of the system for re- 
search. Anything above normal could have 
been set to require dual fingerprint authentica- 
tion and also raise a flag to be investigated if 
found unreasonable. bioLock could also have 
provided a report of who accessed and who 
tried to access the data. This evidence could 
have been used in the court case against Min. 
DuPont's internal controls were inadequate for 
this type of fraud. While DuPont's executives 
and external auditors (PricewaterhouseCoo- 
pers) certified the adequacy of internal control 
systems for accounting frauds, there are other 
types of frauds for which shareholders can 
sue companies and external auditors. 

Conclusions 

Contrary to popular beliefs, corporate man- 
agements and external auditors have legal ob- 
ligations to mitigate fraud. In addition to frauds 
perpetrated by persons not working for a 
company and accounting frauds perpetrated 
by employees, companies can be exposed to 
large risks of losses from the theft of intellec- 
tual property. Laws and regulations provide 
only minimum standards for corporate internal 
control systems. For corporate managers, di- 
rectors, and external auditors who want to 
avoid lawsuits, they need to implement better 
security than the use of only passwords. Using 
only passwords is an invitation to fraudsters. 
Biometrics systems provide fraud mitigation. 
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Interview with Andre Muscat 

Director of Engineering ot GFI Software 

By Mirko Zorz 



What are some of the challenges you face 
in your current position? 

I believe the major challenge is to continue 
building security software that is easy and 
lightweight to use. The vast majority of secu- 
rity software is built for enterprise customers 
that have significant IT departments. Thus the 
software tends to be labor intensive to install, 
set up and most importantly administer. These 
solutions are then pushed on to smaller com- 
panies that, frankly, do not have the capacity, 
expertise or inclination to use such a heavy- 
weight and costly solution. At GFI we continu- 
ally challenge ourselves to build security soft- 
ware that is effective whilst also being easy 
and lightweight to use. 

What new security trends and 
technologies do you find exciting? 

It is the fact that security is not just about hav- 
ing a firewall and an anti-virus scanner any 
more. Malicious threats and computer misuse 
have moved on and we are now witnessing 
the transition to a full-scale eCrime industry. 



This industry is now worth $100M per year 
and driving ever more sophisticated attacks 
and scams. Companies are maturing their re- 
sponse slowly shifting from 'security' to a 'risk 
management' approach, whereby business 
decisions drive how and what a company 
uses in terms of security products or computer 
systems. 

Based on your experience, what is the 
biggest challenge in protecting sensitive 
information at the enterprise level? 

Protecting sensitive information is a major 
challenge for companies irrespective of size, 
activity or location. The use of technology has 
greatly facilitated the way they do business - 
both in terms of volume and speed - yet it has 
also created security issues that need to be 
addressed. 

Today most companies have an online pres- 
ence, they do business over the internet, they 
transfer data from one office to another and 
their employees are mobile thanks to laptops 
and remote access. 
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Therefore, any data stored on a network can, 
unless properly secured, be accessed by ma- 
licious individuals for financial gain or for re- 
venge. 

There is no one 'big' issue, one major chal- 
lenge, but rather a mix of problems and con- 
cerns that include network growth, the threat 
posed by company insiders and financial re- 
strictions. 

Undoubtedly, network growth is one the big- 
gest challenges. As networks grow larger and 
more systems are connected, the more com- 
plex they become and the more difficult for a 
company to keep track and control what is 
happening on its network and what use is be- 
ing made of it. Furthermore, as networks grow 
so do the risks of data loss and downtime - 
and obviously this comes at a cost. Each net- 
work and business running on that network is 
unique and only the businesses themselves 
can quantify in hard currency how much net- 
work downtime will actually cost them... but it 
never comes cheap. 

The second security-related issue is the threat 
posed by employees and other insiders. This 
is a growing concern for companies and re- 
cent breaches are proof that it is a problem 
that cannot be ignored any longer. Disgruntled 
employees can abuse a position of trust to 
steal company data. Security naive employ- 
ees may open an executable which arrived in 
their email inbox to look at a joke without 
stopping to think that a virus may be embed- 
ded within that joke. Internal employees may 
be tricked into performing actions which they 
themselves would not know are insecure e.g. 
sticking username and passwords to their 
monitors, sending out sensitive information 
such as company credit card details in reply to 
an email claiming it comes from the user's 
bank. There are also cases when employees 
are unlucky e.g. when their laptops are stolen 
or a USB Stick is lost. 

There are other weaknesses such as the use 
of default configurations, the uncontrolled use 
of consumer devices, such as USB sticks 
which are used extensively by employees, 
browsing of consumer-focused websites, web- 
based threats such as phishing sites and 
email scams which expose the company to 
high risk. 
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The third category of security issues revolves 
around finances and budgeting. Companies 
are typically run on tight budgets. This makes 
it more difficult for IT administrators to seek 
funds to purchase software to protect the net- 
work. The problem is exacerbated when a 
communication gap exists between the IT 
administrator and senior management and the 
two fail to speak the same language, resulting 
in companies being either unaware of the risk 
or operating at a high risk of a security breach. 

Improving security requires a holistic ap- 
proach that includes investing money in qual- 
ity solutions, helping management to under- 
stand the risks and increasing awareness 
among employees about the importance of 
security. 

In your opinion, what is the most signifi- 
cant security threat at the moment? What 
do you see your customers most worried 
about? 

Personally, I would say that insider threats 
and the uncontrolled use of portable devices 
such as iPods, flash drives, USB sticks, 
Blackberrys, PDAs and laptops are a major 
concern for companies; or rather should be a 
major concern for companies and I'll explain 
why. 

We are currently working on some research in 
the US and initial results indicate that the ma- 
jor concern for companies is still virus attacks. 
The threat posed by insiders using portable 
devices however is rather low, a single digit 
figure. There are two possible reasons for this; 
either companies already take the use of port- 
able storage devices seriously and block all 
devices or, and in my opinion the most prob- 
able reason, companies are still unaware of 
the serious threat posed by insiders and these 
consumer devices. Why? That's a million dol- 
lar question but I think it boils down to educa- 
tion and greater awareness of the security 
threats facing companies. It is really easy for a 
trusted employee to plug in his lifestyle device 
such as an iPod and steal data in a matter of 
seconds. What is even worse is that iPods 
can be used to introduce malware, such as 
viruses and Trojans, pornography, part-time 
work material and more to the office. 



What is unknown to the user is that malicious 
software (pre-installed on the USB stick) can 
run in the background and email out sensitive 
information such as usernames and pass- 
words, office files and so on which are used 
by that user on that machine. These attacks 
are very real and very worrying because of the 
ease and speed of execution. 

Unless network administrators take preemp- 
tive security measures to prevent these things 



from happening through education and tech- 
nology barriers which enforce company policy 
the company will only be exposing itself to 
major security breaches and attacks. 

Network administrators need to make better 
use of the tools that are available to them and 
senior management needs to start looking at 
security as an investment instead of an over- 
head. 



Senior management needs to start looking at security 
as an investment instead of an overhead. 



What's your strategy when deciding on the 
implementation of new features for GFI 
software? 

"What do SMEs need or, more specifically, 
what do IT administrators in SMBs require?" is 
the question we always ask ourselves. 

IT administrators in SMBs want best-of-breed 
solutions that offer quality and unbeatable 
price performance and that address the prob- 
lems that they face every day. And this is what 
GFI has been doing successfully for many 
years now. 

SMBs are faced with the problems resulting 
from expanding networks, an increase in at- 
tack vectors and little or no budget to improve 
and secure their network. GFI's focus has al- 
ways been small and medium sized busi- 
nesses. Unlike enterprise companies that 
have taken enterprise-level products and 
scaled them down for SMBs, GFI has de- 
signed its products from the ground up to 
meet the needs of SMBs but at the same time 
providing enterprise-level functionality at an 
affordable price. 

We are constantly monitoring trends and new 
technologies that can impact negatively on our 
customers' networks. Our strategy to imple- 
ment new features is based on a) research 
that our security teams carry out and b) the 
feedback that we receive from our technical 
support personnel and from our customers 
who provide us with feature requests. We are 
proud to say that we understand our custom- 
ers much better because we listen to what 



their needs are and accordingly develop and 
tweak our products on a regular basis. 

What have been the most important soft- 
ware releases for GFI in 2007? 

Every product release is important for GFI be- 
cause it reflects our commitment to providing 
our customers with quality and cost-effective 
solutions that address and solve the problems 
that IT administrators are facing. 2007 saw 
five important product launches. These were 
GFI LANguard Network Security Scanner 
(N.S.S.), GFI WebMonitor for ISA Server, GFI 
FAXmaker and GFI MailArchiver (November) 
and GFI EndPointSecurity (November/ 
December). 

GFI LANguard Network Security Scanner 
(N.S.S.), recently winner of the "Best of 
Tech Ed 2007" in the security category, is a so- 
lution that addresses the three pillars of vul- 
nerability management: vulnerability scanning, 
patch management and network auditing. 
Apart from major updates to version 7, the 
new version snipped with state-of-the-art vul- 
nerability check databases based on OVAL 
and SANS Top 20, providing over 15,000 vul- 
nerability assessments when the network is 
scanned. 

GFI WebMonitor for ISA Server allows com- 
panies to control employees' web browsing 
activities and to ensure that any files down- 
loaded are free of viruses and other malware. 
The new version comes with WebGrade, a 
1 00% human-reviewed site categorization da- 
tabase that gives administrators control over 



www.insecuremag.com 



75 



what sites users can browse and block access 
to websites in particular categories, such as 
adult, online gaming, personal email, P2P, 
Facebook, Myspace, travel websites and 
more. 

GFI FAXmaker is a fax server that makes 
sending and receiving faxes an efficient, sim- 
ple and cheaper process. FAXmaker was 
GFI's first product and today is the leading fax 
server on the market. This version was re- 
leased in October and supports Exchange 
2007 and Cantata's Brooktrout SR140 FolP 
technology. 



The new version of GFI MailArchiver, an email 
management and archiving solution, comes 
with auditing functionality that ensures that all 
archived emails have not been tampered with 
and a PST migration tool which provides ac- 
cess to old PST files on client machines. 

The final major release last year was GFI 
EndPointSecurity 5. This version comes with 
considerable improvements and new features 
that offer more granular control over portable 
device usage. 



I believe that the challenges we face today 
will very much be the same in five years time. 
Companies will still be threatened by spam, 
by viruses, by malware. 




What challenges does GFI's product port- 
folio face in the next 5 years? 

Our products have developed very much in 
parallel with developments and trends in the 
security sphere and, most importantly, on the 
basis of feedback and feature requests from 
our customers. 

I believe that the challenges we face today will 
very much be the same in five years' time. 
Companies will still be threatened by spam, by 
viruses, by malware. Networks will still be sub- 
jected to DoS attacks, hackers will still ply 
their trade making the most of vulnerabilities 
in systems. Employees will still be a concern 
because they have access to company infor- 
mation. Portable devices will still be misplaced 
or stolen. 

The threats will not change but merely evolve 
to reflect improvements in technology and 
new trends and approaches to security. 

The challenge for GFI is to remain one step 
ahead of these changes and to evolve with 
them. The challenge is to continue providing 
high quality products for the SMB market that 
meet the needs of IT administrators and suit 
the pocket of management. 



All this will have to take place in a competitive 
market that is becoming more selective, more 
critical and more budget-conscious. That said 
we are confident that we have the expertise 
and the ability to face these challenges. So 
long as people use technology to communi- 
cate and networks are needed to do business, 
then companies will need our products for 
their security and peace of mind. 

What can customers expect from GFI in 
2008? 

Our customers can expect GFI to continue 
providing quality solutions for IT administra- 
tors in SMBs at a price that is not only afford- 
able but among the lowest they will find on the 
market - but without compromising on func- 
tionality. 

Price performance has, and will always be our 
key differentiator. We insist on this in every 
product that we sell to our customers. We 
have a number of product launches planned 
for next year and these will ship with larger 
feature sets to reflect, in great part, the needs 
of our customers. 
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QualysGuard (www.qualys.com) is product used for conducting automated 
security audits without any need of software or hardware installation by its 
users. 

The service is provided through a very fast and stable online application 
which does over 150 million IP audits per year. 



lUALYSGUARD' EXPRESS 
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From the QualysGuard dashboard you can start any of the actions provided in the Navigation 
menu located on the left of the screen. 
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You can map a network by scanning IP addresses, domains or netblocks. This is a sample 
results of a mapping activity in a test environment. 
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After the mapping is done, you can start scanning. These are some of the default option 
profiles offered in QualysGuard. 

Vulnerabilities [27) 
■ 
■ 
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SSH Protocol Version 1 Supported 


port 22/tcp 
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Discovery of Unix Account Names Vulnerability 
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SSL Certificate - Signature Verification Failed Vulnerability 
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When the scanning process is finished, you will be presented with the overview of the 
vulnerabilities detected on "target" hosts. 
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Do not create a ticket for these conditions 





Within the application there is a dedicated ticketing service for prioritizing and fixing vulner- 
abilities by using recommended solutions. You can create your own policy for specific 
vulnerability types. 
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QualysGuard has a powerful reporting capabilities, so besides the standard in-depth report, 
you can also chose one of the predefined reporting templates. 
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Results of a risk analysis test for a sample vulnerability. 
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Example of an active ticket related to SSL server security issue. 
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Sample of a visual report detailing vulnerabilities by severity and operating systems. 
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Application security matters: deploying 
enterprise software securely 

By Bern Whalcy 

One of the most interesting aspects of being an information security consult- 
ant is the exposure to an enormous variety of industries and organizations. 
From healthcare to governments, non-profits to small private companies and 
more, the consultant must be versed in dozens of technologies, regulations, 
and business practices in order to be effective. Today, any security consultant 
worth his salt recognizes at least one common security weakness across the 
board: vendor-developed applications, often industry specific, are the 
Pandora's Box of the information security program. 



Commercial off-the-shelf (COTS) software 
companies have developed applications in 
every conceivable nook and cranny to digitize 
and automate processes, storing the lifeblood 
of the organization in a database and making 
it accessible through a GUI front end. Increas- 
ingly, these types of applications are web- 
based, migrating IT back to the thin applica- 
tion environment of the 1980s. Because these 
applications are the window to the very infor- 
mation that keeps organizations alive, it is es- 
sential that they be protected with every tool 
in the infosec arsenal. Unfortunately, the mo- 
notonous "features now, security later" adage 
still rules. 

Consider a new application deployment at 
ACME Corporation, a medium-sized, industry- 
generic company computerizing a key busi- 
ness process for reporting and efficiency pur- 
poses. ACME might take the following ap- 
proach to the project: 



1) ACME management initiates the project 
and issues a request for proposals (RFP) to 
select a vendor. 

2) After choosing the vendor and signing a 
contract, ACME assembles the internal im- 
plementation resources to work with the ven- 
dor. The team consists of a system adminis- 
trator, a database administrator, a network 
administrator, a project manager, and a busi- 
ness representative. 

3) The project team engages the vendor to 
gather first steps and schedule an implemen- 
tation date. A checklist of installation steps 
may be provided. Most often, a vendor- 
supplied service professional will be on-site 
for the installation. 

4) During an installation phase, test and pro- 
duction servers are configured, the application 
is installed and configured for ACME'S unique 
business needs, and data is scanned from 
paper into the application's database. 
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5) The application is tested and accepted by 
the business representative. 

6) End users are trained, and the application 
is promoted to production. 

7) The maintenance and support phase be- 
gins. 

This familiar IT project life cycle leaves a se- 
curity guru feeling unquestionably queasy. 
How could this seemingly straightforward 
installation increase risk to the organization? 

Here are just a few vulnerabilities that were 
overlooked. 

• Because the application was developed 
about a year ago, it was certified by the ven- 
dor against the operating system patches 
available at that time. Too busy developing the 
next version to certify new patches, the instal- 



lation checklist explicitly disallows the more 
recent patches. 

• After completing the database software 
installation, the widely accessible database 
administrator account password is left at the 
default - blank. 

• Several application administrator accounts 
with simple passwords were created during 
the testing phase and are not removed prior 
to the production deployment. 

• The application has auditing capabilities, but 
the required module was not purchased dur- 
ing the contracting phase and subsequently 
was not installed. 

• The vendor supports only Telnet for remote 
support, and was given a generic account 
with a shared password for ongoing mainte- 
nance. 

• The web front end is deployed without the 
use of SSL encryption. 



SECURITY SHOULD BE PART OF THE PROCESS FROM THE BEGINNING 



This is an extremely common result of many 
application deployments at organizations such 
as ACME. Most vendors simply do not have 
the time, resources, or expertise to develop 
applications securely, and the customers may 
not see security as a key requirement of the 
project. What can be done to increase secu- 
rity when deploying new applications or mi- 
grating from old software? 



thinking outside of the box to proactively re- 
solve non-standard problems as well. 

It's a rare organization that has documented 
security findings for each application in the 
environment. Adding a security sign-off in ad- 
dition to the more common business accep- 
tance procedure will show auditors that the 
company takes security seriously. 



First, security should be part of the process 
from the beginning. If all customers wrote se- 
curity requirements into the RFP, for example, 
vendors would start to take it more seriously. 
At the very least, management would be 
aware of some of the risks inherent in select- 
ing a particular vendor simply by reviewing 
responses to the requirements. Measures 
could be taken to mitigate any risks during the 
implementation, or the risk could be accepted 
and documented. 

In step 2 of the project cycle, an important re- 
source was not included in the team: the se- 
curity team representative. This individual will 
watch out for, and hopefully mitigate, just the 
sort of weaknesses that were discovered after 
the fact. The security team should have a 
template (discussed below) for securing ap- 
plications, but individually they will also be 



The security representative certainly has her 
work cut out for her. Convincing the vendor, 
management, and the rest of the project team 
that the security changes are implementation 
requirements is no simple task, and it takes 
creative technical thinking and attention to de- 
tail to resolve many of the technical issues. 

To make the job more tangible, the security 
team should have a checklist of requirements 
for new application installations. Major version 
upgrades of existing software should follow a 
similar, or identical, procedure. 

The checklist can be broken into categories 
such as authentication, logging and auditing, 
encryption, networking, and so on. It may also 
make sense to include items such as backups 
and monitoring that are not solely security re- 
lated. 
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To simplify the process, a standard, univer- 
sally accepted checklist can be used as the 
basis for the certification process. One such 
guide is the DISA Application Security Check- 
list, available at iase.disa.mil/stigs. It provides 
an excellent, if overly wordy, guide for applica- 
tion security requirements. Although the 
document is aimed primarily at U.S. Depart- 
ment of Defense entities, it is easily adapted 
to any organization. 

Using the DISA document as a template, we 
can quickly formulate our own set of applica- 
tion security requirements. For convenience, 
we'll split them into logical sections, just as is 
done in the checklist. 

Identification and authentication 

This covers how applications process and 
authenticate user identities. Several lengthy 
requirements are listed in the DISA checklist, 
but they boil down to the following require- 
ments: 

• The application must use valid, standards- 
based strong encryption for authentication. 
For most organizations, this means that the 
application uses a certificate signed by an ap- 
proved certificate authority. The certificate 
must not be expired, revoked, or otherwise 
invalid. 

• An adequate client authentication process 
must be supported. This might take shape in a 
variety of ways. An obvious example would be 
a simple login form, but a less common case 
could be a web server becoming a client 
when connecting to a database server on the 
back end. Authentication processes may in- 
clude a password, a certificate or key, and/or 
a biometric. If passwords are used, the appli- 
cation must support a minimum set of com- 
plexity requirements (for example, at least 9 
characters of mixed alphanumeric and special 
characters and a set expiration). An applica- 
tion that allows access with only a username, 
does not support password complexity, or 
does not properly enforce controls that it 
claims to support would fail this requirement. 

• If applicable, the client should authenticate 
the server. For example, a web browser con- 
necting to an SSL-enabled web server would 
validate the SSL certificate. In this case, it 
should validate that the certificate was signed 



by a trust certificate authority, is not expired, 
and matches the URL of the page. 

User account management 

The DISA guide only contains one require- 
ment in this section, but there are potentially 
many more concerns. For example, how does 
the application manage user accounts? Are 
administrative accounts carefully protected? 

A proper application certification thoroughly 
checks the user account protection mecha- 
nisms. 

Requirements: 

• User IDs should be unique. Duplicate user 
IDs can lead to overlooked privileges or weak 
passwords. 

• The application must authenticate to a cen- 
tralized authentication system. Most organiza- 
tions have a centralized user account direc- 
tory, such as Active Directory, OpenLDAP, or 
Red Hat Directory Server. To minimize the 
number of accounts and passwords that users 
must remember, the application should sup- 
port at least LDAP authentication. 

• Shared accounts must be prohibited. This is 
a central requirement of some regulations, 
such as HIPAA. Accounts should be tied to an 
individual - particularly administrative ac- 
counts. 

• Access requests should follow a standard 
request procedure. This should be tracked 
and reported against on a regular basis. 

Data protection 

Requirements in this area are common in 
regulations and standards such as the Pay- 
ment Card Industry Data Security Standard. 

Permissions and cryptography should be 
used to protect data when stored on disk and 
in transit. 

• Sensitive data should be protected by file 
permissions at rest. On disk, files should only 
be accessible by administrators and by the 
processes that need access (for example, the 
operating system, database service, or appli- 
cation processes). If backups or duplicates of 
the data exist, they should also be examined. 
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• Authentication credentials should be en- 
crypted at rest. Furthermore, non-privileged 
accounts should not have access to the keys 
that encrypt data. 

• All sensitive data in transit should be en- 
crypted with FIPS 140-2 validated cryptogra- 
phy. This can be accomplished in a variety of 
ways, such as by using technologies such as 
stunnel, SSL-enabled HTTP, or LDAPS. 

• All cryptographic modules should be FIPS 
140-2 validated. The check can be performed 
at csrc.nist.gov/groups/STM. In particular, be 
especially wary of applications that use pro- 
prietary, in-house developed encryption. 

Audit 

Auditing is certainly one of the least exciting 
yet most critical application security features. 
The application should log events and trans- 
actions in a meaningful manner. 

• The application should adequately log 
security-related events. Such events might 
include startup/shutdown, user authentication, 
authorization changes, data transfer, configu- 
ration changes and more. Furthermore, the 
application should log specific information 
about the event, such as the user ID, success 
or failure, the date and time, the origin of the 
request, etc. 

• The application should include a method to 
notify administrators when the logs are near 
full. 

• The audit logs must not be vulnerable to un- 
authorized deletion, modification, or disclo- 
sure. Filesystem permissions should be re- 
viewed, but the application interface might 
also be vulnerable. Integrity is perhaps the 
MOST important element of audit logs, par- 
ticularly if they are to be used in court. 

• Centralized logging should be supported. 
This can be done by syslog, by a manual da- 
tabase export and daily copy, or by sending 
logs to the system log utility (such as the 
Windows Event Viewer) and using a commer- 
cial tool. The benefits of centralized logging 
are widely known, and it should apply to ap- 
plications as well as operating system logs. 

Application operation 

Certain aspects of the application's operation 
have an impact on the overall security. This 



section looks at a variety of operational con- 
cerns. 

• The application must support role-based ac- 
cess control. Administrative accounts should 
be able to perform system maintenance, 
manage user accounts, and review audit logs. 
Regular user accounts should have significant 
restrictions. 

• Actions should be authorized prior to execu- 
tion. For example, an attempt to delete a user 
account by a non-privileged user should be 
denied. 

• The application should run with only the 
necessary privileges for operation. A Windows 
application, for example, should not run with 
domain administrator privileges. Similarly, a 
Linux application should not run as the root 
account. 

• Session limits should exist. User sessions 
should time out after a period of activity, and 
perhaps a specific number of simultaneous 
sessions should be allowed. 

• Users should not be able to circumvent the 
user interface to access resources in the sup- 
porting infrastructure. A user may be limited 
by privileges in the application, for example, 
but could use SSH or NFS to access data di- 
rectly. 

Enclave Impact 

The most important consideration here is the 
logical separation of servers at the network 
level. 

Application servers should be properly limited 
by firewall Access Control Lists. Externally 
accessible servers should be located in a 
DMZ. The section also recommends several 
methods for determining what ports are in 
use, but most of these don't make sense in 
the context of vendor-supplied applications. 
The vendor should be able and willing to sup- 
ply information about what ports are needed 
for proper operation. If not, this can be easily 
determined by packet captures and network 
scans. 

Application configuration and 
authorization 

A variety of client-facing requirements for ap- 
plications are discussed in this section. 
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• A warning banner should be displayed at 
user logon. This can contain text about a 
user's consent to monitoring, no reasonable 
expectation of privacy, and other standard or- 
ganizational user agreement text. 

• Authentication credentials should not be 
stored on a client after the session terminates. 
Cookies are the most common method to 
store credentials for use in future sessions. 

• Users should be able to explicitly terminate 
a session via a logout button or link. It should 
be easy to find and obvious to most users. 



Summary 

This laundry list of security requirements is a 
lot to think about for every application de- 
ployment, but vigilance in this area can drasti- 
cally improve an organization's security pos- 
ture. The requirements can be put into a stan- 
dardized template, and at the end of the proc- 
ess each requirement should have a mark for 
pass, fail, or perhaps not applicable. 

Anything marked as a failure should be noted 
and can be escalated or accepted as a risk. 
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Before I start explaining the techniques I developed to hide data inside a 
rainbow table, let's first cover some basics. 



Steganography is the art of hiding messages 
so that uninitiated wouldn't suspect the pres- 
ence of a message. While cryptography 
makes the message unreadable, it doesn't 
conceal it. Steganography does the opposite: 
it conceals the message but the message 
stays readable. A very ancient example of 
steganography was to tattoo the message on 
the shaven head of the messenger, and send 
the messenger on his way once his hair had 
grown back. I trust you can work out the 
method to recover the message. 

One could say that steganography is nothing 
more than security through obscurity. 

Nowadays, you can find many steganography 
programs to hide data inside digital pictures. 
The principle is easy to understand: each pixel 
of the picture has a color. This color is coded 
with a given number of bits. Changing the bits 
changes the color. Changing the most impor- 
tant bits results in a dramatic change of color, 
but changing the least important bits results in 
a small color nuance, which is often impercep- 
tible to the naked eye. To hide the message in 



the picture, break it up into its individual bits 
and use them to set the least important bit of 
each pixel in the picture. When looking at both 
pictures (original and carrier), you won't see a 
difference. Send your picture to your recipient 
(via e-mail, a picture sharing service, or any 
other electronic means), and then she can re- 
cover the hidden message by extracting the 
bits and recomposing the message. 

You'll understand that the size of the hidden 
message is severely restricted by the size of 
the carrier picture and the number of bits per 
pixel you use. Say that you can only use 1 out 
of 8 bits of a picture, then a 1 MB picture theo- 
retically allows you to hide a 128 KB mes- 
sage. That's fine for text, but not enough for 
other media. My solution is to use much larger 
carriers than pictures. 

A rainbow table is a huge binary file used for 
password cracking. We are talking about gi- 
gabytes, one table is often 1 GB large, and a 
set of rainbow tables comprises tens of tables. 
The rainbow tables I've used in my research 
are generated with software from Project 
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RainbowCrack. 

A rainbow table is just a sequence of records. 
Each record has 2 fields of 8 bytes each, this 
makes a record 1 6 bytes wide. Therefore the 
size of a rainbow table is a multiple of 16. A 
record represents a chain. The first field is the 
password that started the chain. Actually, the 
first field is an index into the keyspace of all 



possible passwords for the given rainbow ta- 
ble set. It is a random number between 0 and 
the size of the keyspace - 1 . The second field 
is the hash of the last password in the chain 
(actually, this is also an index and not the real 
hash). The rainbow table is sorted on the sec- 
ond field: the record with the lowest hash is 
first in the table and the one with the highest 
hash is last. 
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This is the hex dump of a rainbow table (the first 16 chains). The left box highlights the random data, notice 
that the 3 most significant bytes are 0. The right box highlights the hash, notice that this column is sorted. 



Rainbow-steganography method 0 

The first method to hide data with a rainbow 
table is really trivial, just rename the file you 
want to hide to the name of a rainbow table, 
like this one: 

lm_alpha-numeric-symbol1 4-space#1 -7_0_54 
00x671 08864_0.rt 

But this method will not withstand a superficial 
inspection of the file. A forensic analyst will 
see through your subterfuge, by looking at the 
content of this file she will recognize the for- 
mat of the media file you've renamed and re- 
alize that it's not a rainbow table. 

Rainbow-steganography method 1 

Because the first field of a rainbow table re- 
cord is just a random number, we can replace 
it with our own data from the file we want to 



hide. We cannot use all the bytes in this field, 
because the size of the keyspace is usually 
smaller than 8 bytes wide. The most- 
significant-bits of the password field are set to 
zero. Setting them to one would give our se- 
cret away. We must limit our usage of the 
password field to the least-significant-bytes. 

Changing these bytes will not change the 
structure of the rainbow table, so it will still 
appear as a valid rainbow table. The only 
consequence of our change is that the chain 
cannot be used anymore to crack a password. 
But if we leave a certain percentage of chains 
in the rainbow table unchanged, the rainbow 
table can still be used to crack some pass- 
words. 

To illustrate the technique, we insert 32 bytes 
(the sequence from 0x00 through 0x1 F) in the 
rainbow table on the following page. 
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We will replace the random bytes in the red 
box. The keyspace of this rainbow table is 
less than 5 bytes (OxFFFFFFFFFF), that's 



why I decide to change only the 4 least signifi- 
cant bytes of the start of a chain. This is the 
result: 
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It is clear that this modification is very obvious 
when you look at it, because the start entries 
are not random anymore. But if you use data 
that looks random (using compression or en- 
cryption), it will not stand out from the other 
random bytes. You can even use this modified 
rainbow table to crack passwords. 

The first 8 chains will not crack passwords 
anymore, because the start of the chain has 



been changed. But this does not cause an er- 
ror and all the other chains are still usable. 
The only way to detect the hidden bytes (other 
than statistical analysis), is to recalculate the 
chain and compare the calculated hash with 
the stored hash. If they differ, the start has 
been tampered with. 

You can do this with the rtdump command, 
like this: 



rtdump Im_alpha-numeric-symboll4-space#l-7_0_5400x67108864_0 . rt 0 



If the chain has been modified, the message will be: 
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C:\WINDOWS\system32\cmd.exe 



0000007892d3684e 
0000001cdi8650f8 
00000012fbdlb46a 
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0000004b4b8a94bd 
00000070f855ff04 
00000052a3cb0932 
0000007b2cfl6ade 
000000bG9a938Gcd 
0000008e3fa0f8f7 
0000000db6b59025 
000000712felc581 
0000006f 57e0cc98 
0000004bfcddd4d5 
0000002505dl5ff0 
0000009de4f2dlf4 
0000000G9623cGGc 
000000bGa41bG9a3 
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The problem with this test is that it is very time 
consuming, checking a complete rainbow ta- 
ble takes about as much time as calculating 
the rainbow table, because you're in fact re- 
calculating all the chains. FYI, each 1 GB ta- 
ble from my set took about 1 week to gener- 
ate. 

Rainbow-steganography method 2 

The disadvantage of method 1 is that there is 
a way, albeit costly, to detect the hidden data. 
This is because we replace the random bytes, 
that makeup the start of the chain, by the data 
we want to hide, thereby breaking the chain. A 
broken chain can be detected by recalculating 
the chain and comparing the recalculated 
hash with the stored hash. If they differ, the 
chain is broken. 

But if we know that we are breaking chains, 
why don't we fix them? We can proceed as 
follows: 

• replace the start of the chain (random bytes) 
with the data we want to hide 

• recalculate the chain 

• replace the hash of the chain with the new 
hash we calculated. 

This way, there are no more broken chains 
that give away our hidden secret. But now 
there is another telltale sign that the rainbow 
table has been modified to hide data: the 
hashes aren't sorted anymore. Remember 



that a rainbow table has to be sorted (the sort 
key is the index of the hash) to be useful. It is 
very unlikely that our new hash is greater (or 
equal) than its predecessor and smaller (or 
equal) than its successor. Detecting an un- 
sorted rainbow table is much easier than find- 
ing broken chains. 

OK, so if the new rainbow table is unsorted, 
why don't we just sort it again? Well, if we re- 
sort the rainbow table, we destroy the order in 
which we stored our hidden data, so we loose 
the hidden data itself. 

You could keep the original order of the hid- 
den data by creating an index, this is another 
file that indexes the chains with hidden data. 
For example, you could make a list of all the 
hashes with hidden data. This list will then al- 
low you to retrieve all chains with hidden data 
in the correct order. And the fact that you have 
such a list of chains isn't necessarily suspi- 
cious, it's just a list of hashes you want to 
crack. 

But there is a simple way out of the unsorted 
rainbow table problem. Rainbow tables gen- 
erated with the rtgen program are unsorted. In 
fact, you have to sort them with the rtsort 
command after generating them, before they 
can be used by the rtcrack program. The solu- 
tion is to adapt the rtgen program to generate 
a rainbow table with hidden data, and keep 
this unsorted rainbow table. 
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Our modified rtgen program allows us to gen- 
erate an unsorted rainbow table with hidden 
data. The only way to detect this hidden data 
is with statistical analysis, provided that the 
hidden data doesn't appear random. There 
are no broken chains that indicate hidden 
data, unlike with the previous method. 

The disadvantage of this method is that you'll 
have to generate a new rainbow table to hide 
your data, which is a time consuming process. 

Rainbow-steganography method 3 

My last steganographic technique is based on 
the fact that a rainbow table contains chains 
with the same hash index but with a different 
start index. 

Take the rainbow table I've used in my tests. 
It's 1 GB large and has 67.108.864 chains. It 
contains 9.513.435 pairs of chains with the 
same hash index but with a different start in- 



dex. For 4.756.561 of these pairs, the first 
chain has a higher start index than the second 
chain. And for 4.756.874 of these pairs, the 
opposite is true: the first chain has a lower 
start index than the second chain. This even 
distribution should be no surprise, as the rain- 
bow table is only sorted on the hash index and 
not on the start index. 

We can change the order of these pairs with- 
out breaking the chain and without disrupting 
the order of the rainbow table. This will allow 
us to encode 1 bit per chain. I define the fol- 
lowing encoding convention: 

• a pair of chains with the same hash index 
and with the start index of the first chain 
smaller than the second chain represents a bit 
equal to zero 

• a pair of chains with the same hash index 
and with the start index of the first chain 
greater than the second chain represents a bit 
equal to one. 
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In our test table, the pair in the first box represents a 0 (0x1C7F02C85E < 0x2D1 AB4B674) and the pair in the 
second box represents a 1 (0x94BD2F41 F2 > 0x6561 6DC547). 



Use this algorithm to hide a file in a sorted 
rainbow table: 

• start a sequential search of chain pairs with 
equal hash indexes and different start indexes 

• for each bit of the file to hide 

o if the bit is 0 and the chain pair has a 
first start index higher than the second, swap 
the order of the chains 

o if the bit is 1 and the chain pair has a 
first start index lower than the second, swap 
the order of the chains. 



To extract the hidden file, use this algorithm: 

• start a sequential search of chain pairs with 
equal hash indexes and different start indexes 

• if a chain pair has a first start index lower 
than the second, write a bit equal to 0 

• if a chain pair has a first start index higher 
than the second, write a bit equal to 1 . 
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Use rthide2 to hide data in a rainbow table, it 
takes 3 arguments: 

• the rainbow table (remains unchanged) 

• the file to hide (remains unchanged) 

• the new rainbow table 

To hide a file data.zip inside a rainbow table 
called 

lm_alpha-numeric-symbol1 4-space#1 -7_0_54 
00x671 08864_0.rt, use this command: 

rthide2 

lm_alpha-numeric-symbol1 4-space#1 -7_0_54 
00x671 08864_0.rt data.zip 
lm_alpha-numeric-symbol1 4-space#1 -7_0_54 
00x671 08864_0.rt.stego 



This will create a new rainbow table called 
lm_alpha-numeric-symbol1 4-space#1 -7_0_ 
00x671 08864_0.rt.stego 
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Use rtreveal2 to extract data from a rainbow 
table, it takes 3 arguments: 

• the rainbow table 

• the file to create 

• the size of the hidden file 



To extract the data, issue this command (you 
have to know the length of the hidden file, my 
PoC program doesn't store this). 

rtreveal2 

lm_alpha-numeric-symbol1 4-space#1 -7_0_54 
00x671 08864_0.rt.stego data.zip 1620 

1620 is the length of file data.zip 

The advantages of this technique over the 
previous techniques I developed is that it cre- 
ates sorted rainbow tables without broken 
links, and that it is fast. The disadvantage is 
that it stores much less hidden data. In my 
example, a maximum of about 1 MB 
(9.513.435 bits) can be hidden in a rainbow 
table of 1 GB. Statistical analysis is the only 
way to detect the hidden data, but you can foil 
this by making your data appear random, for 
example with strong encryption. 

Source code 

PoC code to store and retrieve data in rain- 
bow tables using these technique can be 
found on my web site. 



Didier Stevens (CISSP, MCSD .NET, MCSE/Security) is an IT Security Consultant currently working at a large 
Belgian financial corporation. He is employed by Contraste Europe NV, an IT Consulting Services company 
(www.contraste.com). You can find the rainbow table PoC code and other open source security tools on his IT 
security related blog at DidierStevens.com. 




Network Security Assessment provides you 
with the tricks and tools professional security 
consultants use to identity and assess risks in 
Internet -based networks -the same penetration 
testing model they use to secure government, 
military, and commercial networks. 

With this book, you can adopt, rcnne> and 
reuse this testing model to design and deploy 
networks that are hardened and immune 
from attack. 



www.oreilly.com 
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Nowadays, the term "insider threat" is banded about as the proverbial 
boogieman that is out to get us. There is confusion, vendor hype and statis- 
tics surrounding this topic and consequently some dismiss it as the latest in a 
wave of security scares with little substance behind it. The term "insider 
threat" may be misused but nonetheless the threat is real and poses 
significant risks to both enterprises and government. 



The truth is that the insider threat is probably 
going to increase and worsen before it gets 
better and not just because we are paying 
more attention to it. This is due to a constella- 
tion of factors including rising organized cy- 
bercrime, increased use of outsourcing and 
the ubiquity of data. However, before we delve 
into the threat and the means we might em- 
ploy in order to deal with it, we need to define 
what falls within the scope of "insider threat". 

Defining the insider threat 

The distinction between accidental damage 
from insiders and intentional, malicious dam- 
age is often forgotten, intentionally or not, and 
it is time to put it back in its place. While both 
types of damage can be significant, there is a 



big difference between the two. Accidental 
damage has always been a concern and there 
is no particular reason to believe that it is on 
the rise - certainly, it is possible that more 
employees have access to more sensitive 
data, or that enterprises tend to retain more 
sensitive data than before, but this in itself 
does not increase the probability of a data 
leak. 

The definition of "breach" is also tightly linked 
to the issue of data loss or leakage. There is a 
big difference, in risk terms, between the acci- 
dental loss of a laptop or disk with sensitive 
information, to intentional data theft. In the 
former, there is a concern that sensitive data 
might fall into the wrong hands, whereas in 
the latter, it is certain to fall into the wrong 
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hands. 

It is akin to the difference between losing your 
house keys, worrying a burglar might find 
them and use them, versus having your house 
broken into and your money stolen. In other 
words, just because someone accidentally 
sent an email with sensitive documents out- 
side the company by mistake, it is far from 
certain that the data would be misused. Simi- 
larly, even if someone who is not a model citi- 
zen finds a lost laptop, he will most likely wipe 
the hard disk clean and sell the laptop, not 
hack the login and password to retrieve the 
data. 



Accidental "breaches" therefore pose signifi- 
cantly less risk than intentional ones. While 
accidental data loss is impossible to prevent 
completely, it is possible to prevent or mitigate 
much of it, which is what DLP solutions do. 
There is a reason why DLP stands for Data 
Leakage Prevention (or Data Loss Prevention 
by some accounts), and not for Data Theft 
Prevention. Most DLP vendors do not claim to 
be able to stop intentional data theft. An em- 
ployee stealing data from the company is not 
likely to send it to her buyers via email or be 
foolish enough to download files to removable 
media if access to those is controlled. 



Technically, risk is the product of the probability of something happening 
and the damage it could cause if successful. 



Accidental data leakage by insiders is also not 
a localized phenomenon within the corporate 
IT infrastructure. It could happen in a variety 
of ways and using a variety of systems, which 
is why DLP solutions often span the network, 
desktops and end-point devices. 

Intentional data theft by insiders, on the other 
hand, and especially the kind that could cause 
serious damage, is highly localized to those 
areas where valuable information is stored, 
and in large quantities - i.e., databases. While 
databases are usually at the bottom of the IT 
stack, feeding tiered layers of applications 
above them, they are accessible directly by 
privileged users such as DBAs, sys admins, 
developers, consultants and outside contrac- 
tors. In large enterprises, this group of users 
with privileged access can span hundreds of 
people. 

Whereas with accidental data leakage one 
can hope that employees largely try to follow 
procedures and may only falter occasionally, 
in the case of malicious data theft, the insider 
perpetrators intentionally flout policies and 
procedures, so much stronger enforcement is 
required. 

Assessing the risk of malicious insider 
breaches 

Technically, risk is the product of the probabil- 
ity of something happening and the damage it 
could cause if successful. On that merit alone, 
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the risk posed by insiders is significant be- 
cause the potential damage is huge. Highly 
skilled insiders with access privileges can do 
infinitely more damage than very talented 
hackers on the outside, and if they are really 
good, they are also more likely to cover their 
tracks successfully. 

Earlier this year, in a highly publicized breach 
a DBA from Certegy, a credit card processing 
subsidiary of Fidelity National Information 
Services, sold 8.5 million records (at last 
count) containing customer credit card and 
bank account data. This is the poster child 
malicious insider attack, the nightmare sce- 
nario - and no doubt a very serious breach on 
a massive scale. In a similar incident, an in- 
sider working for a credit card processing 
company was caught by the Secret Service in 
a sting operation after he had tried to sell cus- 
tomer data belonging to Johnson & Johnson 
and the Disney Video Club. One could sur- 
mise that such large-scale breaches are un- 
likely to become frequent, and though their 
impact is noticeable, the overall scale and 
likelihood means that they are rare and far 
apart. 

However, there are numerous, smaller inci- 
dents that are a lot more frequent. Most of 
them do not get reported, and it is likely that 
an even larger percentage go undetected. 
There may be minor infractions of policy, such 
as peeking into a colleague's salary data in 
advance of salary negotiations. 



Such things happen all the time. Moving up 
the ladder, we would encounter misdemean- 
ors such as selling individual customer re- 
cords to interested parties - for example, an 
employee of a phone company selling call re- 
cords on demand to private investigators, or a 
student bribing an IT employee at a university 
to change his grades in the database. 

All of those smaller act of intentional data 
theft, unlawful data alteration and abuse of 
privileged access to information for personal 
gain add up to cause significant damage, but 
they are completely below the radar most of 
the time. So the overall risk is comprised of 
many smaller infractions that individually 
cause minor damage, along with fewer but in- 
creasingly grave breaches that can individu- 
ally cause major damage affecting a com- 
pany's bottom line. 

Understanding motivation 

When looking into the more serious incidents, 
there are many reasons why a trusted em- 
ployee would knowingly and purposefully 
cause damage or steal from his employer. The 
"disgruntled employee" is cited most often as 



the malicious insider, though this is an over- 
simplification. Certainly, disgruntled employ- 
ees are more likely to betray the trust of their 
employer that happy employees, given the 
opportunity to do so, but few are disgruntled 
enough to plan and execute such acts without 
some external motivation. 

Understanding the insider threat is therefore 
inextricably tied to understanding the threat 
landscape in general. The motivation of hack- 
ers worldwide has shifted over the past few 
years from vanity and opportunity-driven acts 
to criminally motivated acts. Cybercrime is or- 
ganized crime, with hierarchies, a complicated 
value chain of tools and methods, trading plat- 
forms for stolen credit card and personally 
identifiable information, and crime bosses who 
manage the operations. 

Enterprises and ISPs now have server rooms 
full of firewalls, IDS/IPS, appliances that filter 
spam, malware and viruses, making the pe- 
rimeter an almost impregnable wall. It is diffi- 
cult to penetrate this wall and extract valuable 
data from inside the corporate IT stack, pass- 
ing through layers of security. 



Criminals always look for the easy way in. 



Criminals always look for the easy way in. 
Once their previous modus operandi become 
difficult, they start looking for other ways of 
getting the data they need - and this is where 
insiders become very valuable to them, and 
dangerous to the enterprise. 

Imagine that you are a DBA with a large re- 
tailer. One day you get a phone call to your 
cell phone, and a stranger offers you $5,000 if 
you pass them the details of 30,000 custom- 
ers. You hesitate and the offer is sweetened to 
$7,000. Some would succumb at this point, 
especially if their skills and level of access al- 
low them to do so undetected. You still hesi- 
tate, though, at which point the stranger asks 
you how your daughter Emily is doing. 

A farfetched scenario? Unfortunately, it is not, 
and in most cases that were made public, the 
implicated insider was motivated by money, 
not by threats. 



Mitigation and remediation 

What about preventing this from happening in 
the first place? In the last season of The So- 
pranos, a couple of Tony Soprano's goons go 
to the old neighborhood to shake down the 
manager of a newly opened coffee shop for 
"insurance". The young manager explains that 
the coffee shop is a branch in a national chain 
and that headquarters count every coffee 
bean and dime - he simply cannot give them 
money off the books and if they force him, 
headquarters would simply send someone 
else to replace him. The goons leave empty 
handed, bemoaning the fate of the old neigh- 
borhood. 

The same is true of data theft: Where there is 
no access, there is no crime. If privileged, 
trusted users knew that their actions could not 
go undetected and if this were made clear to 
criminals as well, such a course of action 
would become increasingly difficult. 
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The phone call described in the previous sec- 
tion would not achieve its purpose. We are still 
far from reaching this objective but it will even- 
tually happen. 

Before prevention, there are many other ways 
of mitigating the risk. Awareness of the issue 
at hand is a first and necessary step, which 
should lead to stricter policies and more 
granular access levels for privileged users. In 
a surprising number of enterprises, you would 
find shared logins and passwords, for exam- 
ple, or that privileges, once granted, are sel- 
dom revoked. Lack of awareness and prioriti- 
zation is why this is still happening. 

Frequent auditing, preferably by an external 
3rd party, is the next logical step. It may not 
stop insider breaches, but it may discover 
them while they are ongoing and prevent them 
from continuing. 

Ultimately, however, we must find a way of 
looking at what users are doing and ensuring 
it complies with policy, regardless of who 
those users are. After all, an outside hacker 
who is able to commit a privilege escalation 
attack would have insider privileges. He be- 
comes the insider. This is where sophisticated 
tools for real-time monitoring, alerting and 
prevention can help. 

In order to know which actions are legitimate 
and which are not, it is not enough to have 



policies. We need to understand the context in 
which these actions are taken, be able to act 
in real-time, and do so without hindering daily 
operations. Given that databases hold the 
largest concentration of critical data, and that 
they are highly complex applications, they re- 
quire a specific set of tools and technologies 
to perform this task, collectively known as da- 
tabase activity monitoring (DAM) or database 
intrusion/extrusion prevention. 

Much of the risk posed by malicious insiders 
can be mitigated through intelligent use of 
these tools, providing that they can detect all 
forms of direct access to the database and the 
use of sophisticated attack vectors - after all, 
the users who have privileged access to data- 
bases are among the most sophisticated and 
skilled users within IT. Contrast this with DLP 
solutions that target the average user whose 
skills would normally not suffice to outsmart 
the system. 

When separating the wheat from the chaff, the 
insider threat emerges as a threat that needs 
to be addressed, using the right tools and pro- 
cedures for the right kind of insider threat. Un- 
intentional data loss can be widespread but its 
effects are usually not severe. Intentional, ma- 
licious data theft or abuse by privileged insid- 
ers can deal very painful blows to the enter- 
prise, but requires a different approach and 
focus on databases, where the attractive data 
assets are located. 



Dan Sarel is responsible for directing Sentrigo's product definition and design, and brings over a decade of 
security software and hardware experience. Dan joined Sentrigo (www.sentrigo.com) after serving as Check 
Point Software Technologies' Director of Product Management. At Check Point Dan led the VPN product line 
and went on to manage an international team that leads all of Check Point's enterprise product lines. Dan led 
several new product launches and served as a member of the product council, which determines the com- 
pany's product strategy. Prior to Check Point Dan held a number of product management, marketing and con- 
sulting positions in the hardware and software security product market. 
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Software spotlight 



WaterRoof 

http://www.net-security.org/software. php?id=689 

WaterRoof is an IPFW firewall frontend for Mac OS X with a easy interface and many options. 
Features include dynamic rules, bandwidth management, NAT configuration and port redirection, 
pre-defined rule sets and a wizard for easy configuration. You can also watch logs and graphic 
statistics. Rules configurations and network options can be saved and optionally activated at boot 
time. 

Botan 

http://www.net-security.org/software. php?id=94 

Botan aims to be a portable, easy to use, and efficient C++ crypto library. 
ModSecurity 

http://www.net-security.org/software. php?id=51 8 

ModSecurity is an open source intrusion detection and prevention engine for web applications. It 
operates embedded into the web server, acting as a powerful umbrella - shielding applications 
from attacks. ModSecurity supports Apache (both branches) today, with support for Java-based 
servers coming soon. 

Jsch 

http://www.net-security.org/software. php?id=41 7 

JSch is a pure Java implementation of SSH2. JSch allows you to connect to an sshd server and 
use port forwarding, X11 forwarding, file transfer, etc. You can integrate its functionality into your 
own Java programs. 
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B2B gateways were introduced in 2003, marking the first time IT professionals 
could deploy best-of-breed managed file transfer tools without sacrificing 
their larger investment in enterprise business applications. Today, that value 
proposition has an added advantage: gateways have become building blocks 
for a secure information strategy. 



The intent of this article is to provide even- 
handed criteria for evaluating B2B gateways 
within the context of overall information secu- 
rity. "Information security" refers to all activiti- 
es—physical, electronic, social— related to 
corporate information protection. This in- 
cludes, but is not limited to, physically secur- 
ing the premises, encrypting and backing up 
data, and developing, publishing and promot- 
ing an enterprise-wide security policy. 

Data transfer over public networks: 
risks and rewards 

The appeal of a B2B gateway is based, in no 
small measure, on cryptographic attributes 
that allow data to be transmitted securely over 
public networks rather than proprietary VANs. 
Although the cost savings are attractive, any 
enterprise choosing to transport data across a 
public network assumes responsibility for pro- 
tecting its infrastructure against risks posed by 



the public network itself. The basic factors to 
consider are network reliability, load capacity, 
in-transit data protection, and shielding the 
enterprise from viruses, worms, and other 
malware. 

As Gartner points out, centralization is one of 
the explicit virtues of the B2B gateway. A sin- 
gle, secure data portal is advantageous for 
many reasons, particularly for firms that must 
demonstrate robust data security for compli- 
ance audits. This consolidated port of entry 
defines the "edge" of the corporate domain 
and clarifies accountability for data moving 
into and out of the enterprise. 

Security-related gateway evaluation 
factors 

Gateway technology is specifically designed 
to address the data security risks described 
above. 
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But gateways entail risks of their own that that 
must be factored into any system evaluation. 
These risks can be divided into two catego- 
ries: absolute (functionality-driven) and 
relative (cost/value-driven). 

Absolute risks 

• Capability: How effectively will the gateway 
handle the functions most important to your 
operation? How well will it conform to your en- 
terprise's published performance standards? 

• Platform support: How efficient will the tech- 
nology be within your hardware/operating sys- 
tem environment? Is it certified to meet your 
corporate production requirements? 

• Compliance: If you must comply with corpo- 
rate or industry regulations— HI PAA, GLB, 
Sarbanes-Oxley, and PCI, for example— does 
the system meet those standards and support 
timely, efficient compliance reporting? 

Relative risks 

Relative risk factors relate to the cost of ac- 
quiring, installing, operating and maintaining 
the system. The right gateway choice for your 
company is the one that delivers the most 
value per dollar compared to 1 .) other options 
in the marketplace; and 2.) the importance of 
the following factors within your operation: 

• Performance: Better-performing systems 
consume less CPU, disk and memory re- 
sources. They are typically a better long-term 
buy for two more reasons: corporate traffic 
almost always increases rather than de- 
creases, and a robust gateway can reduce (or 
redistribute) overall loads so your existing in- 
frastructure can accommodate more traffic. 

• Reliability: By definition, gateways are ex- 
pected to be highly available. How well will the 
system scale in large, clustered implementa- 
tions? How quickly can it recover from excep- 
tional conditions, including component failure? 

• Ease of implementation: The more quickly 
the gateway can be installed and put into pro- 
duction, the better the odds for rapid adoption 
and support by the enterprise. 

• Ease of use: The most vocal proponents (or 
critics) of any system are usually the people 
responsible for its day-to-day operation. Us- 
ability promotes user adoption and delivers 
tangible benefits such as fewer input errors 
and faster, more effective reporting. From an 



operations standpoint, a system that can be 
readily modified and reconfigured requires 
shorter maintenance windows. 

Typical stages of corporate information 
security 

The fundamentals of securing corporate data 
don't change. At the most basic level, they boil 
down to restricting access, applying safety 
measures to the data itself, and making dupli- 
cates in case the original is lost or corrupted. 

The operational context for these fundamen- 
tals, however, is constantly evolving. Most en- 
terprises go through four stages of integrating 
information security into their core business 
processes. 

Stage #1: The Fortress 
At this stage, the enterprise protects data by 
building a wall around it. Information within 
this fortress is not encrypted, and the data 
transfer mechanisms aren't necessarily se- 
cure. Protection consists of restricting physical 
access to campuses and data centers and re- 
quiring passwords for log-in. Database pass- 
words are often left at default values or are 
widely known and rarely changed, since all 
the data is "internal" anyway. In this scenario, 
the safety of all data is essentially equivalent 
and completely dependent on physical safe- 
guards. Security is not intrinsic to either the 
data or business process. 

Stage #2: The Private Line 
At this stage, the company embraces the "pri- 
vate line" or "secure tunnel" for inter- 
enterprise data exchange. This link is secure, 
but no assumptions are made about protec- 
tion beyond the link, and a breach in the link 
will expose all in-transit data. Business proc- 
esses at either end of the link expect data in 
its native format. Security is not intrinsic to ei- 
ther the data or business processes. 

Stage #3: Security Off the Wire 
The third evolutionary stage infuses protection 
higher in the protocol stack. The application- 
layer software encrypts data using features 
within a broader software suite, or through a 
separate security product integrated into the 
overall business information process. Data 
transformation for the sake of security is only 
applied when necessary. 



www.insecuremag.com 



99 



This stage takes security "off the wire" and 
allows the use of non-dedicated (but intrinsi- 
cally less secure) networks like the Internet. 
Data protection may be oriented toward the 
document itself, treating each discrete docu- 
ment as an independently secured message, 
or toward the session layer (SSL and TLS). In 
the latter case, security parameters are es- 
tablished between two end-points and applied 
to one or more discrete documents passing 
over the session. 

At this stage, data protection is disengaged 
from the lower, physical or data-link layers. 
This takes the safety burden off the network's 
shoulders. But engaging security at the appli- 
cation layer makes information safety be- 
holden to the prerogatives of the business 
process. Disparate applications may provide 
different, and possibly wholly incompatible, 
data security schemes. 

These differences make secure data transfer 
between heterogeneous systems across a 



public network a formidable integration chal- 
lenge. 

Stage #4: The B2B Gateway 
At this stage the corporation recognizes the 
value of a single subsystem for reliable, in- 
teroperable, secure data transfer over rela- 
tively low-cost public networks. Within the 
centralized architecture, all applications con- 
form to the corporate security policy. Adaptive 
gateway interfaces make application integra- 
tion relatively simple. Ongoing gateway opera- 
tions can be easily monitored and exceptional 
conditions reported immediately. 

B2B gateways that understand multiple 
application-layer transfer protocols— HTTPS, 
S/FTP, and so forth— can be configured to 
adapt to changes in the way the enterprise 
arranges its communications with others. By 
disengaging the secure communications as- 
pect from the business process infrastructure, 
the company can tune components without 
tearing down and starting over. 



ANY ENTERPRISE PREPARING TO EXPAND INTER- OR INTRA-COMPANY DATA EXCHANGE 
MUST HAVE AN UPDATED, WRITTEN CORPORATE INFORMATION SECURITY POLICY 



Choose technology to support your secu- 
rity policy— not vice versa 

Any enterprise preparing to expand inter- or 
intra-company data exchange must have an 
updated, written corporate information security 
policy. (The SANS Institute provides useful 
guidelines and templates at 
www.sans.org/resources/policies.) Well- 
crafted policies are clear about the company's 
standards and procedures in the following ar- 
eas. 

Asset protection: Reducing or preventing data 
loss with measures such as eliminating single 
points of failure in critical data processing 
paths. Other examples: appropriate data 
backup, in-place redundant systems, and on- 
going hardware maintenance. 

Access control: Installing authentication con- 
trols at both human and external system ac- 
cess points; requiring and enforcing the use of 
security credentials. 



Vulnerability detection: Establishing mecha- 
nisms to detect compromised and/or vulner- 
able systems. For example, a digital certificate 
approaching its expiry date represents a defi- 
nite vulnerability. A user account that hasn't 
been accessed for a long period represents a 
potential vulnerability. 

Monitoring and reporting: Creating procedures 
to record and report access to sensitive infor- 
mation. Reports showing usual-and- 
customary access patterns are helpful for op- 
erators on the alert for unusual, and poten- 
tially harmful, activity. 

PAIN: the elements of secure data transfer 
Secure electronic data transfer has four attrib- 
utes: Privacy, Authentication, Integrity, and 
Non-repudiation. Prudent business prac- 
tices—and increasingly, government and in- 
dustry mandates— require these attributes in 
electronic data exchange of all types, includ- 
ing gateways. 



www.insecuremag.com 



100 



Privacy: Encrypted data is intelligible only to 
those with the proper security credentials. 
Typically a public-key encryption scheme is 
used to ensure that only the intended recipient 
of the data can decipher the message. 

Authentication: Secure credentials identify the 
originator or sender of the information. This is 
typically accomplished by attaching a digital 
signature to the message. The signature, en- 
crypted with security credentials held only by 
the sender, can be authenticated by any re- 
cipient in possession of the sender's public 
key. 

Integrity: A relatively short sequence of bits, 
known as a message digest, is produced us- 
ing an algorithm with a very high probability of 
generating a different digest should any single 
bit in a message be altered. By sending an 
encrypted digest along with the message, a 
recipient can compare a locally computed di- 
gest to verify that the message was not al- 
tered in transit. 



Non-repudiation: To prove non-repudiation (a 
receipt which the receiver cannot effectively 
deny), the data recipient digitally signs and 
returns an acknowledgment to the sender that 
includes the matching digest of the message, 
thereby providing both a certain identification 
of the recipient and proof that the message 
was successfully decrypted and received 
intact. 

A B2B gateway evaluation matrix 

In summary, B2B gateways represent the 
consolidation of secure communication serv- 
ices accessible to various internal systems 
through adaptive interfaces. Endpoint configu- 
ration is relationship (trading partner) oriented, 
given the underlying assumption that endpoint 
management requires handling protocols or 
connections that vary by endpoint. Gateway 
activity is driven through interfaces to a busi- 
ness process management (BPM) system and 
integrated with information gathered through- 
out the enterprise. 



David Walling is Chief Technology Officer for nuBridges. He can be reached at dwalling@nubridges.com. 
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Reputation attacks, a little known Internet threat 

By Inaki Urzay 



A less known threat is consolidating which exploits the Internet as a mass- 
communication channel: reputation attacks. These attacks target both 
individuals and companies, and their goal is to ruin the victim's reputation. 
While attack techniques are varied, the consequences are often the same: a 
damaged reputation resulting in many cases in financial loss. 



Ways to attack a reputation 

Attackers can use several methods to ruin a 
company's reputation. Until now, most com- 
mon attacks have been based on distributed 
denial of service (DDoS). The objective of 
these attack is to flood corporate online serv- 
ices by means of millions of non legitimate re- 
quests from botnets. 

In this way, business performance is affected, 
causing direct financial losses and the corre- 
sponding damage to corporate image and 
reputation. 

Corporate websites are also the target of 'de- 
facement' attacks. They consist of trying to 
exploit a server or Web application vulnerabil- 
ity to modify pages or introduce other content 
in the pages that shows the corporate web 
server. When users and potential customers 
visit a corporate web page and find it has 
been modified by a third-party, their confi- 
dence in the company is seriously affected. 



Another method used by hackers that has 
proven successful is publishing false informa- 
tion on forums and blogs. Seemingly genuine 
news items, quotes included (false, of course) 
strategically distributed on several online sites 
can spread like wildfire, and achieve their 
goal: to convince a large number of users that 
the information is true. 

Many urban legends that are still popular to- 
day were originally created in a similar way, 
and have managed to affect highly prestigious 
multinational companies. 

In a similar vein, there have also been false 
rumors aimed at manipulating stock market 
prices. Firstly, attackers send true stock mar- 
ket information as spam, to potentially inter- 
ested parties. After several messages and 
once attackers consider they have sufficiently 
gained people's trust, they send false informa- 
tion to manipulate stock prices. 
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Google: a reference point on the Web 

Google's strategic position on the Internet has 
seen it become a reference when searching 
for information, but also has a key role in es- 
tablishing corporate reputations, good or bad. 
Consequently, Google is also used to attack 
the reputation of third-parties. 

The best known method is 'Google bombing' 
which allows specific websites to appear at 
the top of search results. Attackers study the 
way in which Google indexes and orders web 
pages during searches, and try to introduce 
critical content regarding a specific brand or 
company in the first places of the results list. 
When users search for a specific brand in 
Google, the first links displayed include pages 
aimed at damaging their reputation. Although 
Google has improved its algorithm to avoid 
these attacks, they are still common practice. 

PageRank is another Google-based method 
aimed at ruining corporate reputations. It con- 
sists of algorithms developed by Google to 
measure quantitatively the relevance or impor- 
tance of web pages on a scale of 0 to 10. A 
company's PageRank usually represents its 
popularity. If the value is high, it is usually 
considered to be a reliable source accessed 
by many important sites. 

Google is currently penalizing companies who 
exchange links and artificially try to increase 
PageRank. Attackers are exploiting this to in- 
sert penalized links on legitimate web pages. 
This way, they get the site to be penalized, its 
PageRank to decrease, and thereby damage 
its reputation. 

Other ways of attacking a reputation 

CastleCops (www.castlecops.com) is a volun- 
teer security community focused on making 
the Internet a safer place. Its free services in- 
clude malware and rootkit cleanup, malware 
and phishing research. 

CastleCops accepts donations via PayPal. At- 
tackers took advantage of this to begin a 
campaign aimed at discrediting CastleCops. 
They stole PayPal users' passwords using 



Trojans and phishing techniques, and made 
several donations to CastleCops. 

When users realized someone had sent their 
money to CastleCops, they blamed Castle- 
Cops for the fraud. Consequently, CastleCops 
was forced to return all the money, and invest 
in resources to manage all the complaints and 
requests. CastleCops' reputation was un- 
doubtedly damaged. 

Malware-based attacks 

Most of the methods described above are es- 
sentially malware-based. For example, bot- 
nets are used to carry out distributed DoS at- 
tacks and to launch spam that contains false 
information to ruin companies' images. Most 
defacements also use automated attack tools. 
In the case of Google, malware is also used to 
automate the insertion of links and spam on 
2.0 websites that allow users to add content. 
In the case of CastleCops, Trojans were used 
to steal PayPal users' credentials. 

There are numerous scenarios in which vi- 
ruses, Trojans and other malware-types can 
damage a company's reputation. In 2004, 
even Google was affected by the MyDoom 
worm which disabled many of its servers for 
several hours. Worse still, the search engine 
underwent the attack hours before being 
floated on the stock market. Other search en- 
gines such as Altavista, Yahoo! and Lycos 
were also affected by the worm. Phishing 
techniques, which are still as popular as ever, 
can also damage companies. These attacks 
are critical for banks, since they cause finan- 
cial losses and strike fear in users. In the 
same way, specially-crafted Trojans (mainly 
banker Trojans) have become one of the worst 
Internet threats. The main danger lies in the 
fact they are designed to specifically affect 
certain entities, and in many cases, operate 
totally invisibly and when users access their 
online bank, their access credentials are sent 
to hackers. 

In 2006, Trojans accounted for 53 percent of 
all new malware created, and 20 percent of 
these were banker Trojans. During 2007, there 
have already been over 40 percent more at- 
tacks than in the whole of 2006. 



Inaki Urzay is the Chief Technology Officer of Panda Security (www.pandasecurity.com). 
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Italian bank's XSS opportunity 
seized by fraudsters 

By Paul Mutton 



/ 




An extremely convincing phishing attack is using a cross-site scripting vul- 
nerability on an Italian Bank's own website to attempt to steal customers' 
bank account details. Fraudsters are currently sending phishing mails which 
use a specially-crafted URL to inject a modified login form onto the bank's 
login page. 



The vulnerable page is served over SSL with 
a bona fide SSL certificate issued to Banca 
Fideuram S.p.A. in Italy. Nonetheless, the 
fraudsters have been able to inject an 
FRAME onto the login page which loads a 
modified login form from a web server hosted 
in Taiwan. 

This attack highlights the seriousness of 
cross-site scripting vulnerabilities on banking 
websites. It shows that security cannot be 
guaranteed just by the presence of "https" at 
the start of a URL, or checking that the 
browser address bar contains the correct do- 
main name. 

Cross-site scripting vulnerabilities on SSL 
sites also undermine the purpose of SSL cer- 
tificates - while the attack detailed here injects 
external content via an FRAME, it is impor- 
tant to note that a malicious payload could 



also be delivered solely via the vulnerable 
GET parameter. 

In the latter case, any SSL certificate associ- 
ated with the site - included Extended Valida- 
tion certificates - would display a padlock icon 
and apparently assure the user that the in- 
jected login form is genuine. 

This particular attack is made all the more 
convincing by the vector used by the fraud- 
sters: the URL employed by the attack injects 
a series of numbers directly into a JavaScript 
function call that already exists on the bank's 
LoginServlet page. This makes it difficult even 
for an experienced user to identify this as a 
cross-site scripting attack, as the URL does 
not look readily suspicious, with the injected 
content consisting only of numbers and com- 
mas. 
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The vulnerable page, decoding arbitrary GET parameters. 



In a possible attempt to bypass automated 
security filters, the injected content from Tai- 
wan also contains encoded JavaScript which 
is used to display the text "Inserisci i tuoi 
codici personali" ("Insert your personal 
codes") and "per accedere alle aree riservate" 
("To access all reserved areas"). 

When the modified form is submitted, the con- 
tents are transmitted to the Taiwanese server 



before the user is redirected to the bank's 
genuine, unaltered homepage. 
Netcraft has contacted the bank affected by 
this attack and blocked the phishing site for all 
users of the Netcraft Toolbar 
(toolbar.netcraft.com), and propagated the 
block to the companies which licence the Net- 
craft PhishFeed 

(news.netcraft.com/phishing-site-feed). 
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The good, the bad and the ugly 
of protecting data in a retail environment 




The overall purpose of information security is to control risk by managing the 
impact of threats to information assets in the most cost-effective manner. This 
article takes a look at a typical Point-Of-Sale (POS) solution, identifying com- 
mon architectural weaknesses that can lead to data compromise. Specifically, 
key business priorities are assessed against the POS architecture to vet the 
solution for potential security shortcomings that could prevent it from 
carrying out its business mission. 



In many retail organizations, the principal 
business objectives are to achieve compliance 
to the Payment Card Industry Data Security 
Standard (PCI) to avoid fines and maintain 
proper standing in the industry, while protect- 
ing the brand name by avoiding breaches of 
customer credit card data. Many retail solu- 
tions have been carefully designed from both 
security and business goal perspectives. They 
may use hardening features such as PKI- 
driven strong mutual authentication of all sys- 
tem components, rigorous encryption of data 
in transit and at rest, secure unlock and up- 
date processes, etc. to be able to safely and 
reliably operate in the most hostile of network- 
ing environments. A computer containing sen- 



sitive data that is physically stolen from a retail 
site can represent of a significant risk. 

Careful balance between business goals and 
security reduce the risk of a compromise that 
can threaten the retail organization's brand 
reputation and business operations. Compli- 
ance to PCI is not enough to safeguard infor- 
mation in a retail environment. This article will 
also assist in guiding security efforts in a POS 
environment. For example, weaknesses dis- 
cussed here can prove to be effective at priori- 
tizing testing attention and effort. In other 
words, the testing, design review, code review, 
penetration testing processes should be priori- 
tized in order to make the most effective 
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use of the available development resources. 

Some mature security solutions are also envi- 
ronmentally friendly and addresses "the green 
security challenge" by delivering software so- 
lutions that operate on existing computing in- 
frastructure, typically on the same server as 
the application or database being secured. 
The appropriate level of encryption key pro- 



tection can be achieved by using a well bal- 
anced combination of software cryptography 
and selective use of small footprint standard 
commodity type Hardware Security Modules. 
This environmentally friendly approach can 
provide the needed balance of protection, 
cost, operational needs and avoid installation 
of a large number of appliances. 



ALL CREDIT CARD PROCESSING SYSTEMS REQUIRE LOGGING OF ALL 
ACCESS TO CREDIT CARD DATA, IN ADDITION TO QUARTERLY SCANS 
AND ANNUAL PENETRATION TESTS. 



The Payment Card Industry Data 
Security Standard 

The Payment Card Industry (PCI) Data Secu- 
rity Standard was created by major credit card 
companies to safeguard customer information. 
Visa, MasterCard, American Express, and 
other credit card associations mandate that 
merchants and service providers meet certain 
minimum standards of security when storing, 
processing and transmitting cardholder data. 
Merchants, service providers, and banks are 
required to perform an annual assessment for 
Level 1 (large) merchants, annual penetration 
testing and application testing Level 1 and 2 
service providers. All credit card processing 
systems require logging of all access to credit 
card data, in addition to quarterly scans and 
annual penetration tests. 

Credit card transmission networks, processing 
and storage systems require host and/or net- 
work intrusion detection or prevention. Fire- 
walls providing access to credit card process- 
ing and storage systems require an appropri- 
ately configured and managed firewall. Re- 
mote access to credit card processing envi- 
ronments require two-factor authentication. 

Databases, Web servers and applications that 
store or process credit card data require 128- 
bit SSL encryption and effective management 
of crypto key transmission and storage. Al- 
though currently not a PCI requirement, Visa 
and MasterCard encourage application devel- 
opment companies to certify their payment 
applications in accordance with the PCI Pay- 
ment Application Best Practices program. Ap- 
plications that meet these standards can be 



listed on the Visa Web site as PCI-approved 
payment applications. For more information 
for merchants, including the current transac- 
tion volumes/categories for each level, please 
see tinyurl.com/ypp9j4. For the full text of the 
Data Security Standard, please see 
tinyurl.com/ysdr77. To review the standards 
for the PCI Payment Application Best Prac- 
tices program, please see tinyurl.com/2lmfgp. 

How to review the state of security 

Data flows through a retail system, into and 
out of numerous applications and data stores. 
This flow, in its entirety, is the focus of a holis- 
tic approach to data security. A critical first 
step in any data-driven security review is to 
identify all the points and places where sensi- 
tive data is processed, transmitted and stored. 
The plan should address such issues as data 
retention and disposal, user access, encryp- 
tion and auditing. One must take into consid- 
eration that business needs will often trump 
security requirement, and an effective security 
plan must take all of the stake-holders needs 
into account or it will fail. 

People will always find a way to thwart secu- 
rity measures they don't understand or have a 
negative impact on their productivity. For each 
specific POS system significant amount of 
data should be collected, synthesized, and 
analyzed in order to draw specific conclusions 
beyond those presented in this article. 

The process should begin with the collection 
of all available design and architectural arti- 
facts - diagrams, architecture documentation, 
etc. Next, the POS team should facilitate an 
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architecture review meeting. During this meet- 
ing, a typical POS architecture should be de- 
scribed in detail, including various user stories 
that explain how the POS system is operated 
under different circumstances. 

The next phase should analyze the artifacts 
and meeting notes in order to synthesize the 
information and gain a thorough understand- 
ing of how the deployed POS will function. 
This should include a thorough reading of the 
design and architecture artifacts. Next, the ac- 
tual risk analysis should be performed, con- 
sisting of one or more of the risk analysis 
touch-point methodology sub-processes: 1) 
Attack resistance, 2) Ambiguity analysis, and 
3) Weakness analysis. 

For attack resistance analysis, the primary 
application components - and third party in- 
frastructure components - must be analyzed 
for known and published vulnerabilities, 
patches, etc. Ambiguity analysis should con- 
sist of comparing the POS design documenta- 
tion against discussions from a review kick-off 
meeting. Lastly, and most significantly, the ar- 
chitecture itself should be analyzed for poten- 
tial weak points and weak operational modes. 

Typical threats 

Any substantive analysis and discussion 
about an application's risks must include a 
discussion of the likely threats the application 
will face during its anticipated deployed life. In 
the analysis of the POS, the most likely 
threats that the system may face, for reasons 
we will describe below, are 1) malicious insid- 
ers and 2) technically knowledgeable outsid- 
ers motivated by profit. A brief discussion of 
each, along with the respective rationale, fol- 
lows below. 

Basic assumptions 

Due to the rigorous security design that usu- 
ally went into a typical POS architecture, the 
bar is set quite high with regards to the diffi- 
culty that an attacker should have in order to 
compromise the system. Even an opportunis- 
tic attacker who manages to break one of the 
system's infrastructure components should 
still need to go to great lengths to compromise 
any of the system's true "crown jewels"— e.g., 
a Local Security Service unlock key, the actual 
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POS keystore, or (untokenized) valid credit 
card data. As a result, it is assumed that a 
successful adversary should need to possess 
a significant level of technology expertise. 

As a goal any attacker should need to be 
more than just proficient at numerous tech- 
nologies that for example could include C, 
Java, UNIX/Linux, TCP/IP networking, etc. 
Additionally, the attacker should need to attain 
a significant understanding of the functional 
and design aspects of the POS itself. This 
could be achieved through reverse engineer- 
ing or analyzing the source code, design 
documentation, etc. 

A reasonable target for this analysis of a five- 
year life-span of the POS and the difficulties 
associated with keeping secrets for that long 
of a time period, it must be assumed that a 
sufficiently motivated attacker will be able to 
acquire (or hire) the technology expertise as 
well as the application-specific knowledge in 
order to attempt an attack. 

Phishing attacks on the Internet are increasing 
at an unprecedented rate, clearly indicating a 
dedicated and highly resourced profit- 
motivated adversary exists. It would be naive 
to think that such an attacker should not, at 
some point, turn his attention to retailers with 
a significant brand "footprint" around the 
world. 

Common insider threats 

There are likely to be one primary category of 
insider threat to the POS: retail employees. 
They may either be enlisted by an outsider(s) 
or may enlist the help of an outsider in order 
to attack the POS. Their motivations are likely 
to be either profit or to cause harm to the re- 
tailer by way of a direct denial of revenue and/ 
or tarnishing the retailer's brand with bad pub- 
licity that would almost inevitably be the result 
of a successful compromise. 

In any of the above scenarios, the insider has 
learned how the POS system functions to a 
level significant enough to attempt an attack. 
Traditionally, insider threats are the most diffi- 
cult to prevent and detect. Further, it is likely 
that no technology solution will be adequate to 
safeguard against every possible attack sce- 
nario. 



However, other industries (notably the finan- 
cial services industry) have handled insider 
threats for centuries. In situations where 
known technology weaknesses are recog- 
nized, the financial services industry typically 
compensates by instituting procedural "checks 
and balances" to greatly reduce the likelihood 
of successful attacks. 

In most cases, these checks and balances 
come in the form of separation of duties and 



multiple points of possible failure, resulting in 
no single employee, with the ability to easily 
compromise the entire system. Instead, a 
conspiracy would need to exist, which is 
deemed to be much less likely. That same 
methodology of separation of duties is lever- 
aged significantly in the recommendations 
made in this article in circumstances where 
weak points exist in a typical POS architecture 
out of necessity. 



IN SITUATIONS WHERE KNOWN TECHNOLOGY WEAKNESSES ARE RECOGNIZED, 
THE FINANCIAL SERVICES INDUSTRY TYPICALLY COMPENSATES BY INSTITUTING 
PROCEDURAL "CHECKS AND BALANCES" TO GREATLY REDUCE THE LIKELIHOOD 

OF SUCCESSFUL ATTACKS. 



Common outsider threats 

A second category of threat that must not be 
neglected is outsiders. Although their motiva- 
tion is far more likely to be profit rather than to 
harm the retailer's reputation, it is important to 
consider them in the analysis. At least two 
feasible scenarios exist that could provide an 
outsider with a vector for launching an attack 
on the POS. Both scenarios involve poorly 
configured retail store site networks. In the 
first scenario, a retail site network is mis- 
configured such that it is directly accessible to 
the external Internet at large. In this scenario, 
an opportunistic attacker may accidentally (or 
otherwise) find the retail network and begin an 
attack. 

The second scenario would involve a mis- 
configured site network that inadvertently al- 
lows any 'guest' data traffic to traverse the 
same network that the business systems, in- 
cluding the Local Security Service itself, re- 
sides on. In both cases, a successful attack 
on the POS itself should need to include a 
significant additional effort to explore, analyze, 
and learn the operation of the POS. Such an 
attack may well take months or more, but 
considering the five-year lifespan of the POS, 
it should be wise to treat it as possible, how- 
ever unlikely. 

Other threat considerations 

Although we consider the above threats to be 
the most likely, they are in no way the only 



ones that exist. Similarly, other motivations for 
attacking the POS may also exist. The Inter- 
net has seen an enormous amount of "joy rid- 
ing" attacks over the years that seem to be 
motivated by little more than intellectual curi- 
osity and bravado. The largest risk of suc- 
cessful attacks by these miscreants is denial 
of service and other forms of general havoc. 
Certainly, not something to be ignored, but the 
business impact to retail is not likely to be 
anywhere as significant as in either of the 
above scenarios. 

A retail system architecture 

This article is using illustrating examples 
based on a retail system with a Local Security 
Service performing encryption of credit card 
data at the retail store level. The encrypted 
data is decrypted by a Central Security Serv- 
ice. Security administration and key manage- 
ment is performed by a Central Administration 
Service. 

In the case where a store and forward ap- 
proach is used between the store locations 
and the central system, a few of the potential 
scenarios that are reviewed below can be 
avoided. These include a major WAN outage. 

In a typical Local Security Service deploy- 
ment, other (non-Local Security Service) 
components are housed on the same equip- 
ment that the Local Security Service resides 
on. 
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This may also include an archive of credit card 
(tokens if used) in the POS environment. Al- 
though data is encrypted and believed to be 
quite safe from inadvertent disclosure, other 
system failures (e.g., disclosure of the encryp- 
tion key) could expose the archived data to an 
attacker. The potential business impact to the 
retail organization in such a compromise 
should be regarded as high. 

The most effective means of minimizing this 
risk is to separate the Encryption Key Service 
from the other components residing on the 
same computer hardware, minimize the vol- 
ume of sensitive data, stored locally and if 
possible provide significant physical protection 
of hardware containing highly sensitive data. 
Many other industries commonly collect their 
most sensitive data and in data centers with 
substantial physical security. 

How to render data unreadable 

There are three radically different ways to 
render data unreadable: 1) two-way cryptog- 
raphy with associated key management proc- 
esses, 2) one-way transformations including 
truncation and one-way cryptographic hash 
functions and lastly 3) index tokens and pads. 
Two-way encryption of sensitive data is one of 
the most effective means of preventing infor- 
mation disclosure and the resulting potential 
for fraud. Cryptographic technology is mature 
and well proven, and there is simply no ex- 
cuse for not encrypting sensitive data. 

The choice of encryption scheme and topol- 
ogy of the encryption solution is critical in de- 
ploying a secure, effective and reasonable 
control. The single largest failure in deploying 
encryption is attempting to create an ad-hoc 
cryptographic implementation. Hash algo- 
rithms are one-way functions that turn a mes- 
sage into a fingerprint, usually several dozen 
bytes long binary string to avoid collisions. 

Truncation will discard part of the field. These 
approaches can be used to securing data 
fields in situations where you do not need the 
data to do business and you never need the 
original data back again, but unfortunately a 
hash will be non-transparent to applications 
and database schemas since it will require 
several dozen bytes long binary data type 
string (longer than the 20 bytes for the broken 
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SHA-1 or two-way symmetric encryption). An 
attacker can easily build a (rainbow) table to 
expose the relation between hash values and 
real credit card numbers if the solution is not 
based on HMAC and a rigorous key manage- 
ment system. Salting can also be used if data 
is not needed for analytics. 

An HMAC, is a type of message authentica- 
tion code (MAC) calculated using a specific 
algorithm involving a cryptographic hash func- 
tion in combination with a secret key. As with 
any MAC, it may be used to simultaneously 
verify both the data integrity and the authentic- 
ity of a message. Any iterative cryptographic 
hash function, such as MD5 or SHA-1 , may be 
used in the calculation of an HMAC; the re- 
sulting MAC algorithm is termed HMAC-MD5 
or HMAC-SHA-1 accordingly. The crypto- 
graphic strength of the HMAC depends upon 
the cryptographic strength of the underlying 
hash function, on the size and quality of the 
key and the size of the hash output length in 
bits. 

An attractive solution to this problem can be 
tokenization that is the act of replacing the 
original data field with reference or pointer to 
the actual data field. Tokenization enables you 
to store a reference pointer anywhere within 
your network or database systems and can be 
used to reduce the cost of securing data fields 
but will require a central service to assign 
permanent (persistent) token values. Tokeni- 
zation by a local service can be used to as- 
sign a non-permanent token value at multiple 
end points early in the data flow. A tokeniza- 
tion system must always be supported by a 
rigorous encryption system based on separa- 
tion of duties, secure audit, random key gen- 
eration and protection of keys and credentials. 

How to choose cryptographic algorithms 

The encryption algorithms used in the POS 
architecture should be chosen carefully and 
be widely accepted, subjected to extensive 
peer analysis and scrutiny. Such analysis is 
considered the norm in the cryptographic 
community. A weakness in the cryptographic 
algorithm could result in a complete compro- 
mise of the POS system. Thus, the potential 
business impact to retail would be extreme, 
and could result in failure of both of the POS's 
primary business objectives. 



Cryptographic failure would have such a sig- 
nificant impact, that it is strongly recom- 
mended that a rigorous review of the selected 
algorithms in use be conducted. It is generally 
considered a best business practice to use a 
published cryptographic algorithm for protect- 
ing sensitive information. Accepted algorithms 
typically include those specified by the Na- 
tional Institute of Standards and Technology 
(NIST) as being Federal Information Process- 
ing Standards (FIPS). 

Protection of cryptographic keys 

It is essential that each Local Security Service 
(as well as Central Security Services) retain a 
copy of the encryption key while in an opera- 
tional (unlocked) state. This is a necessity of 
its business mission. At the same time, how- 
ever, this "crown jewel" presents a security 
exposure of the POS system. An attacker with 
access to a Local Security Service could po- 
tentially peruse the system's processes and 
memory to acquire the key and decrypt data. 
The likelihood of this sort of attack succeeding 
is quite low, but must be it to be successful, 



the impact could be very high. Take every 
reasonable precaution to protect the key while 
the Local Security Service is operational. 

Combine software cryptography and 
specialized cryptographic chipsets 

Encryption keys should be protected when 
stored in memory or in databases, and during 
transport between systems and system proc- 
esses. This can be achieved by using a well 
balanced combination of software cryptogra- 
phy and specialized cryptographic chipsets 
(known as Hardware Security Module) can 
provide a selective added level of protection, 
and help to balance security, cost, and per- 
formance needs. Certain encryption keys and 
fields in a database require a stronger level of 
encryption, and a higher level of protection for 
associated encryption keys. Encryption keys 
and security metadata should continuously be 
encrypted and, have their integrity validated, 
even when communicated between proc- 
esses, stored or cached in memory. Security 
data should remain ciphered until needed for 
use by crypto-services routines. 



ENCRYPTION KEYS AND SECURITY METADATA SHOULD CONTINUOUSLY BE 

ENCRYPTED AND, HAVE THEIR INTEGRITY VALIDATED, EVEN WHEN 
COMMUNICATED BETWEEN PROCESSES, STORED OR CACHED IN MEMORY. 



Some keys must be available in memory 

Different types of keys need to be available in 
memory. With software based crypto the data 
encryption keys must be available in memory 
and with HSM based encryption the access 
keys to the HSM must be available in memory. 
It may not be feasible to use a primary and a 
secondary HSM in each store location. A solu- 
tion based on distributed software and an op- 
tional HSM is a feasible approach in many en- 
vironments since each POS must also be able 
to operate even if the connection to the HSM 
in the store is down. 

Memory attacks may be theoretical, but cryp- 
tographic keys, unlike most other data in a 
computer memory, are random. Looking 
through memory structures for random data is 
very likely to reveal key material. Well made 
encryption solutions go to great efforts to pro- 
tect keys even in memory. Protection meas- 



ures to consider should include memory com- 
partmentalization. Generate a separate ID that 
does the actual encryption/decryption, and 
ensure that no other process or system ID can 
access its memory. 

Ensure that the encryption/decryption process 
and its memory does not get swapped out to a 
virtual memory swap/page file, which could 
leave behind persistent residue that could in- 
clude the encryption key. Whenever the key is 
no longer needed, ensure that the memory 
location/variable where it was stored is thor- 
oughly wiped, so that no memory residue is 
left behind for an attacker to discover. Con- 
sider a centrally monitored host-based intru- 
sion detection system on every Local Security 
Service to vigilantly watch for attacks on the 
host itself. The above list of recommendations 
for encryption key handling is commonly prac- 
ticed throughout various industries where 
sensitive data is encrypted. 
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Some keys are more sensitive 

Key-encryption keys are used to encrypt the 
key while in memory and the encrypted key is 
then split into several parts and spread 
throughout the memory space. Decoy struc- 
tures may also be created that look like valid 
key material. Memory holding the key is 
quickly zeroed as soon as the cryptographic 
operation is finished. These techniques re- 
duce the risk of memory attacks. Separate 
encryption can also be used for different data. 



These encryption keys can be automatically 
rotated based on the sensitivity of the pro- 
tected data. Since web servers, application 
servers, and databases have no place on a 
dedicated cryptographic engine, these com- 
mon attack points are not a threat. A severely 
constrained attack surface makes it much 
more difficult to gain the access needed to 
launch a memory attack. To maintain a high 
level of security backups contain the en- 
crypted data and only securely encrypted 
lower level keys. Additional details about im- 
plementation of key management will be dis- 
cussed in a separate article. 



PCI DSS REQUIRES YOU TO USE DUAL CONTROL AND SPLIT KNOWLEDGE AND 
PROPER KEY MANAGEMENT PRACTICES TO MANAGE YOUR KEYS. 



Dual control, split knowledge and PCI 

PCI DSS requires you to use dual control and 
split knowledge and proper key management 
practices to manage your keys. Dual control 
and split knowledge can be expressed as - no 
one person should have access to any infor- 
mation, device, or function, that allows them to 
determine the key that is being protected 
more quickly than through the best attack 
known for that algorithm. Ideally, this means a 
brute force search of the entire key space. 

The determination of any part of the key must 
require the collusion between at least two 
trusted individuals. This requirement can be a 
challenge in the POS environment and solu- 
tion approaches will be discussed in a section 
about the Local Security Service below. 

Any feasible method to violate this axiom 
means that the principles of dual control and 
split knowledge are not being upheld. This 
principle is enforced by requiring both dual 
control, and split knowledge. In other words, 
at least two people are required to 'recon- 
struct' the key, and they must each have a 
physical thing (thereby providing dual control), 
and some information that is required (thereby 
providing split knowledge). It is not enough to 
split a 128 bit key 'in half with each half, con- 
taining the plaintext bits of the original key, 
one of the two custodians can determine the 
key by exhausting the other half - which re- 
quires only 2 A 64 operations, instead of the 



2 A 128 which is required for the entire key 
space. 

Storing key components on two media and not 
requiring any further authentication by the us- 
ers to use these components will not provide 
the required split knowledge. Storing a key 
enciphered under another key that can be re- 
constructed with one or more passphrases, 
provides split knowledge, but not dual control. 

Storing a key on a single media that requires 
one or more passphrases to access does not 
meet the requirements of dual control. The 
dual control and split knowledge is only re- 
quired to access the plaintext key. The use of 
a key to encipher or decipher data, or access 
to a key that is enciphered under another key 
does not require such control. 

Central help-desk access to keys 

At various times during normal POS opera- 
tions, Central Help-desk support staff and site 
system administration staff are likely to have 
access to unlock-keys and encryption-keys. 
Despite the fact that key management has 
been carefully thought through to minimize 
these exposures, opportunities do exist for 
this support staff to compromise customer 
data. Further, detecting this sort of insider at- 
tack can be extremely difficult, but the impact 
of a successful attack on the POS could be 
quite severe. 
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Best practices in similar data environments 
generally include most or all of the following 
measures. Checks of all personnel involved in 
sensitive operations such as key manage- 
ment. Ideally, support staff that has access to 
encryption keys should not have access to 
any sensitive, encrypted data and vice versa. 
This, however, can be a difficult measure to 
implement. To the extent feasible, functional 
duties should be separate within the data cen- 
ter. For example, Central Help-desk personnel 
who handle Local Security Service unlocking 
should not also be involved with encryption 
key management. 

The above recommendations are entirely con- 
sistent with practices found in numerous other 
industries where similar access to sensitive 
customer data is required. The financial serv- 
ices industry, in particular, makes regular use 
of similar operational practices. 

PKI considerations 

A tight integration of PKI and the POS system 
is possible in advanced POS environments. 
Rigorous mutual authentication, data encryp- 
tion, etc., that a PKI enables are considered to 
be best practice solutions across numerous 
industries today. Consequently, a failure of the 
PKI would without a doubt have a devastating 
effect on the POS. A PKI 'situation', such as 
the retail organization's CA certificate appear- 
ing on a CRL could halt the entire PKI in its 
tracks. Since the PKI is literally infrastructure 
of the POS, a PKI failure could have a com- 
mensurate affect on the POS, resulting in 
considerable business impact to the retail or- 
ganization. 

Although the deployment and operation of the 
retail organization's PKI is outside of the direct 
scope of the POS project, great care must be 
taken to ensure that the PKI is operated in 
compliance with all relevant PKI industry best 
practices and procedures. 

SSL keys in plaintext 

During a POS review, it is common to find 
SSL private keys left in plaintext on some 
servers. This could indirectly help an attacker 
get one step closer to successfully attacking 
the POS. In particular, the plaintext SSL key 
could enable an attacker to masquerade as 
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authorized server in a Security Service con- 
versation. The likelihood of such an attack 
succeeding is quite low, but could enable an 
attacker to do anything that the local service 
is able to do. Consider password protecting 
the SSL key for the service. Although this can 
be unfeasible in some operational scenarios, if 
it doesn't present an undue burden for the re- 
tail organization, it should be done. 

Password protecting SSL keys is commonly 
done on production servers throughout vari- 
ous industries. On the other hand, doing so is 
often not feasible, and thus, it is not uncom- 
mon to find plaintext SSL keys in production 
data centers. It is less common to find plain- 
text keys on field-deployed servers, however. 

Protecting the Security Services 

A computer may sometimes be outside the 
physical control of its intended users. For ex- 
ample, a server, USB-drive or disk may be 
stolen rather easily. Therefore, it is prudent to 
restrict access to the computer's functions, for 
instance by requiring the entry of a password. 
It is also prudent to protect the files on the 
computer by encrypting them, for example 
under an encryption key derived from the 
password. The password itself should not be 
kept in the clear on the computer. 

In this way, only parties that know the pass- 
word can use the computer and read the files, 
even if they have direct access to the com- 
puter's storage devices. The password should 
be strong enough that an attacker cannot ob- 
tain it by guessing, and then decrypt the files. 
Assume that the user and computer a some 
secure means of communicating, perhaps be- 
cause the user has direct, physical access, or 
can establish a secure network connection. 
The user may type a password into the server 
at log-in time and in addition to we add a 
password supplement that may be 40 bits 
chosen randomly. 

Both will be replaced every time the user picks 
a new password, and when the computer is 
re-started, and can establish a secure network 
connection with the central key management 
computer. A challenge-response process may 
be added to avoid replay attacks if a cloned 
end-point server is attacked by using the 
manually entered password. 
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Unlocking the Local Security Services 

Each Local Security Service should be locked 
upon start-up. While locked, all sensitive data 
is encrypted and presumably safely stored. 
During the Local Security Service start-up 
procedure the application is unlocked so that it 
can get on with its business processing func- 
tions. Unlocking can occur through an auto- 
mated or manual process - the latter is in- 
voked in situations where the retail WAN con- 
nectivity is unavailable for some reason. 

The security of this process depends on the 
secrecy of the unlock keys, which are unique 
to each retail site and should only be used 
once. Under the automatic unlocking process, 
the unlock key is discarded after use (and 
presumably wiped from memory) and then a 
new unlock key is automatically rotated in via 
the Security Administration Service, thereby 
greatly reducing the exposure of the unlock 
key. The manual unlock process, on the other 
hand, exposes a valid unlock key to at least 
two people - a central help-desk support per- 
son and a system administrator at the respec- 
tive retail site (or similar). 

Although the key is rotated after use, a mali- 
ciously cloned Local Security Service envi- 
ronment could still be unlocked using that un- 
lock key if the cloned system remains off-line. 
This could enable an attacker to invoke and 
unlock a cloned Local Security Service in a 
safe environment and potentially use the data 
and processes on the Local Security Service 
to decrypt cached/archived credit card data. 
The impact of a successful breach of this 
process could be extreme. Customer data for 
several years could be compromised, result- 
ing in customer identity theft, retail reputation 
tarnishing, etc. 

This situation is acknowledged in a typical 
POS architecture and can be addressed by 
asymmetric keys or compartmentalization of 
symmetric encryption keys to limit the amount 
of data that is accessible by each encryption 
key. Additional details about implementation of 
solutions based on asymmetric keys and 
compartmentalization of symmetric crypto will 
be discussed in a separate article. If this is not 
implemented, it would be possible for an at- 
tacker, through social engineering, to get the 



unlock secret from Central Help-desk, and 
then use this to attack the system. 

Authentication cannot be done by the 
POS itself 

Note that this authentication cannot be done 
by POS itself - it must be an out-of-band 
mechanism. It is vital that a robust business 
process complete with adequate checks and 
balances, be instituted at every retail site that 
will run a Local Security Service. Additional 
technologies could be deployed to further pro- 
tect this vital aspect of the Local Security 
Service's operation, such as smart cards. A 
smartcard based identification, authentication, 
and authorization mechanism should be a 
significant improvement in protecting the 
startup and unlock process for each Local Se- 
curity Service. It is understood, however, that 
such measures in many cases would not be 
feasible to deploy at each retail location. As 
such, a process as mentioned above is even 
more important to address carefully. In nu- 
merous industries, mission critical applications 
commonly leverage technologies such as 
smart cards, one time passwords, and others 
for protecting such vital operating states as 
unlocking the Local Security Service. 

The unlock keys are available in different for- 
mats in automatic mode and in response to a 
request to the Central Helpdesk. The same 
key is not used in both cases. The whole path 
in the automatic case must be protected. 
Since the key may be requested from the 
Helpdesk, the Helpdesk should not have 
complete knowledge of a single key for one 
store and the keys should be different across 
different stores. Additional details about the 
implementation of dual control in the auto- 
matic unlocking process will be discussed in a 
separate article. 

Protecting Web-facing applications 

PCI DSS Requirement 6.5 requires that Web- 
facing applications be developed in accor- 
dance with secure coding guidelines to guard 
against such attacks. A successful SQL injec- 
tion attack can have serious consequences. 
SQL injection attacks can result in the crip- 
pling of the payment application or an entire e- 
commerce site. 
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Through this avenue of attack, an attacker can 
break out of the Web server and database 
realms, gaining complete control over the un- 
derlying system. Another serious conse- 
quence can be the compromise and theft of 
data that resides within the payment applica- 
tion infrastructure. SQL injection is a tech- 
nique used to exploit Web-based applications 
by using client-supplied data in SQL queries. 
SQL injection attacks are caused primarily by 
applications that lack input validation checks. 
Recently, commercial shopping cart products 
have been the focus of attack by hackers who 
seek account information. Automated tools are 
available in the marketplace to protect appli- 
cations for susceptibility to an SQL injection 
attack and should be utilized. 

Logging server 

Event logging, for PCI compliancy, forensics, 
and other purposes, is handled by a syslog 
server located in the Central Site, Syslog-NG 
will be used as an example since it is a syslog 
replacement supporting IPv6 and capable of 
transferring log messages reliably using TCP. 
Although Syslog-NG offers numerous opera- 
tional and availability benefits beyond its 
predecessor (Syslog), it does little to protect 
any sensitive data that gets logged. Further, 
the Syslog-NG server is not integrated into the 
typical PKI that some POS components may 



use. Thus, it represents a potential weak point 
where an attacker may be able to obtain sen- 
sitive POS data, in particular credit card data. 
One avenue of attack could involve an at- 
tacker setting up a rogue syslog-ng server and 
tricking the Local Security Service into send- 
ing it log events to include data. 

The impact of a successful Syslog-NG-based 
attack should be similar to any attack that in- 
volves compromising data - quite high. Al- 
though this attack is quite unlikely, several 
steps should be taken to further minimize its 
likelihood. These should include integrating 
the Syslog-NG server into the PKI so that the 
Local Security Service and other components 
can strongly (mutually) authenticate with it, 
ensure rigorous host-hardening is done during 
the configuration of the Syslog-NG server. 
Also consider encrypting the actual data vol- 
ume on the Syslog-NG server via an encrypt- 
ing file system and minimize access to the 
Syslog-NG data to those staff who have an 
operational requirement to access it. 
Sensitive data logging in other industries, 
such as the financial services industry, is 
commonly strongly protected using methods 
such as those described above. Data centers 
containing such information are also com- 
monly deployed with extensive physical secu- 
rity controls, rigorous access controls, com- 
partmentalization of data, and so forth. 



COMMERCIAL SHOPPING CART PRODUCTS HAVE BEEN ATTACKED BY 
MALICIOUS HACKERS WHO SEEK ACCOUNT INFORMATION. 



Additional operational issues 

In analyzing a typical POS architecture and 
operation, in the case a store and forward to- 
pology is not used, a few potential denial of 
service scenarios must be theorized. These 
include a major WAN outage that forces sites 
to use the Central Help-desk helpdesk for un- 
locking their Local Security Services and a 
long-term WAN outage and subsequent re- 
connection that results in a cache flood of the 
Central Site (including Syslog-NG, Central 
Security Services, and Security Administration 
Server systems). The common factor in most 
of the theorized scenarios may include wide- 
spread Local Security Service connections 



into the Central Site that result in overwhelm- 
ing the systems within the Central Site. 
The direct impact of such an attack would be 
to halt POS operations at the Central Site. It is 
possible that the sites continue running in a 
disconnected mode, but whenever they try to 
reconnect to the Central Site, another denial 
of service is the result. Such DoS reverbera- 
tions could even recur if the dynamics of the 
entire system are not carefully designed. En- 
sure that the various POS components can 
safely adapt to a wide range of LAN/WAN 
connectivity states. Make sure the Central Site 
components themselves are able to throttle 
incoming connections after long term outage 
situations so that they do not become 
overwhelmed. 
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Degraded WAN operation 

During analysis of the POS system as a 
whole, the team theorized some modes of op- 
eration that may result in problems. For ex- 
ample, if a WAN or Central Site outage re- 
quires the secondary (Security Administration 
Server recovery) system to go into production, 
and the network connectivity to/from the sec- 
ondary site is not as robust as that for the 
Central Site itself, there could well be situa- 
tions where Local Security Service to Security 
Administration Server communications are 
substantially degraded. This may in turn result 
in a long-term caching of data and such, as 



well as a subsequent "data storm" in the Cen- 
tral Site when normal communications re- 
sume. 

The impact of this sort of situation could vary, 
but is not likely to be severe. A likely worst 
case scenario would include denial of service 
disruptions at the Central Site upon resuming 
normal business operations. Consider and 
plan for a wide range of LAN/WAN connec- 
tivity for the deployed Local Security Service 
servers such that they are least likely to flood 
the Central Site after prolonged outages or 
significantly degraded communications peri- 
ods. 



THE IMPACT OF ANY PARTICULAR COMPONENT VULNERABILITY DEPENDS ON THE 
NATURE OF EACH VULNERABILITY, BUT IN THE AGGREGATE, THE POTENTIAL 
IMPACT TO THE RETAIL ORGANIZATION SHOULD BE PRESUMED TO BE HIGH. 



Infrastructure operational environment 

The POS may include numerous off the shelf 
components and technologies (e.g., 
WebSphere, Struts, any (Java) package and 
library for managing projects and dependen- 
cies, Linux, UNIX). Since a system is only as 
secure as its weakest link, weaknesses in any 
of these components could provide an at- 
tacker with a vector to launch an attack on the 
POS itself. During this type of review, a cur- 
sory review of known and published vulner- 
abilities should be performed on several of the 
above components. 

The actual impact of any particular component 
vulnerability depends on the nature of each 
vulnerability, but in the aggregate, the poten- 
tial impact to the retail organization should be 
presumed to be high. Robust operational 
processes and procedures should be insti- 
tuted across all POS components, including 
every Local Security Service operating at re- 
tail sites. These should include a suite of best 
practices in the areas of protection, detection, 
and response. Specific attention should be 
paid to network and operating system/platform 
configuration management. 

Protecting administrative functions 

Atypical POS architecture may include a 
(read-only) monitor in the form of a simple 
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web app interface for site system administra- 
tors to be able to see the operational status of 
their Local Security Services. This function 
may be intended to be used by local site per- 
sonnel only. 

Although (presumably) no sensitive data 
should be available to an outsider through this 
interface, it is a good idea to protect it from 
outside access as described below. The im- 
pact of an outsider accessing the POS moni- 
tor GUI should not be quite low, but could re- 
sult in embarrassment to the retail organiza- 
tion should it be publicly disclosed. Minimize 
the likelihood and impact of this weakness by 
enable the monitor GUI on only the "localhost" 
(loopback) network interface; alternatively, if it 
is required to be accessed from a central help- 
desk site LAN, enable access only via a single 
(or small set of) approved IP address(es) and 
use a username/password for accessing the 
monitor GUI. 

Administration and recovery 

Although the POS may itself be essentially 
stateless, at a micro level, it must contain 
state data such as encryption keys, unlock 
keys for each retail site, update configuration 
data, and so forth. As such, the BC/DR sys- 
tems must be current with the operational 
state of the primary production servers or else 
a state skew could occur. 
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Although the impact of such a failure could be 
quite high , its likelihood of occurring may 
considered to be to be low. Ensure that all BC/ 
DR planning and processes include state up- 
dating of the production POS servers on an 
on-going basis. Further, these systems should 
go through periodic live testing to help keep 
them in as reliable an operational state as 
possible. Mission critical systems throughout 
numerous other industries are regularly ex- 
pected to have robust and mature business 
continuity including secondary data centers 
and such. 

Updating the Local Security Service 

Another Local Security Service mode of op- 
eration during which it potentially exposes a 
weakness is during the update process. This 
process, can be orchestrated via a third party 
components, involves checking versions of all 
system components (e.g., jar files) and, if 
necessary, retrieving updates from the Central 
Security Services. Although all such compo- 
nents are digitally signed to aid in detecting 
any tampering, spoofing, etc., the security of 
the entire update process depends on Any 
(Java) package and library for managing pro- 
jects and dependencies. 

This (sometimes XML) formatted file contains 
all of the pointers to the respective system 
components, and is stored locally on the Local 
Security Service during start-up. One mode of 
attack could be to maliciously alter the .xml file 
such that it loads maliciously extended Java 
class files instead of the legitimate POS files. 
As with the Local Security Service unlock 
functionality, a compromise of the update 
function could result in a complete compro- 
mise of the Local Security Service and all its 
sensitive data. Thus, the overall business im- 
pact to the retail organization could be ex- 
treme. Both unlock and update functions are 
necessary features for such a widely distrib- 
uted system, thus omitting these features is 
not be a feasible solution. 

Omitting the update function would result in 
enormous configuration management over- 
head to the retail organization. The result 
should without a doubt be an untenable op- 
erational posture. Thus, the risks that these 
functions present should be accepted as a 
cost of doing business. In addition similarly to 
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the unlock function, the update function 
should include business processes that 
maximize separation of duties, checks and 
balances, etc. Although no single mechanism 
can achieve perfection, some security mecha- 
nisms around the update function should in- 
clude rigorous access control including object 
files, environment variables, IDS signatures 
that specifically look for attempts (successful 
or otherwise) to tamper with files and a fail- 
safe process if compromise attempts are de- 
tected. 

Passwords issues 

Passwords are the most common form of user 
authentication in computer systems, but they 
represent a weak link of a protection system. 
An administrative or master password should 
be particularly complex. Below is one easy 
way to solve the general password protection 
issue by using an encryption solution that can 
be application transparent and resistant to 
'multiple attack vectors' protecting the access 
to API, to databases and to SSL communica- 
tion sessions. 

An encryption server box should be hardened 
and the session should be authenticated (with 
a password or multi-factor authentication) and 
encrypted (SSL or similar). Lock down the ap- 
plication storage of the passwords to the log- 
ins for the database, communication and the 
encryption server. A mature transparent file 
system encryption product on the application 
server platform can lock down the storage of 
the password and may also delegate a trans- 
parent authorization to the application. 

Increase the security of passwords 

Password strengthening is a compatible ex- 
tension of traditional password mechanisms. It 
increases the security of passwords, without 
requiring users to memorize or write down 
long strings. Password strengthening does not 
assume any extra hardware, and does not in- 
troduce any of the vulnerabilities that come 
with extra hardware. These characteristics 
makes password strengthening easy to adopt, 
and appealing in practical applications. The 
method does not require users to memorize or 
to write down long passwords, and does not 
rely on smart-cards or other auxiliary hard- 
ware. 



The main cost of this method is lengthening 
the process of checking a password. Each 
password hash is associated to a small, usu- 
ally random value called salt. The salt does 
not need to be kept secret, and it is used to- 
gether with the password to generate the 
password hash. While the use of salted pass- 



words does not increase the task for recover- 
ing a particular password, a salt of sufficient 
length should preclude pre-computed, offline 
dictionary attacks, as it becomes impractical 
to compute a large table of hashes corre- 
sponding to possible passwords and salt val- 
ues in advance. 



ONE OF THE WEAKEST ASPECTS OF PASSWORD BASED AUTHENTICATION 
IS THE LOW ENTROPY OF COMMONLY CHOSEN PASSWORDS. 



Issues with weak passwords 

One of the weakest aspects of password 
based authentication is the low entropy of 
commonly chosen passwords. 

The main attacks for recovering clear text 
passwords from hash values consist of com- 
putation of all possible passwords up to a cer- 
tain number of characters (exhaustive search 
attack), or perhaps a list of typically chosen 
passwords (dictionary attack). The computa- 
tion is usually performed offline and the at- 
tacker simply compares the values on the 
password table with the pre-computed list. 

Systems should therefore enforce password 
complexity rules, such as minimum length, re- 
quiring letters to be chosen from different sets 
of characters (e.g. lower-case, upper-case, 
digits, and special characters), etc. 

An appropriate password length depends on 
the amount of resources available to the at- 
tacker that an organization wishes to defend 
against. Assuming an attacker has access to 
optimized DES-cracking hardware an organi- 
zation may need to enforce 1 2-character 
passwords and a password expiration dura- 
tion of 60 days to mitigate a brute-force attack 
against the password hash. A password gen- 
erator is able to generate a strong password 
policy of a random sequence of numbers, 
lower-case letters, and upper-case letters. 

These passwords are random and therefore 
very difficult for a hacker to guess. A password 
generator thwarts any key-logging attempts by 
automatically copying the generated password 
into the password field. Since your password 
is never typed and never copied to the clip- 



board, a key-logger has no chance to capture 
your information. 

Slowing down an attacker 

A slow one-way algorithm will not noticeably 
increase the cost of one operation (e.g. for the 
legitimate user when logging in), but it sub- 
stantially increases the task of mounting an 
exhaustive search attack. A common ap- 
proach is to iterate the original one-way func- 
tion many times. Some systems one-way 
function encrypts a known string 25 times with 
DES using a key derived from the user's 
password (another feature is that the salt 
value actually modifies the DES algorithm it- 
self, making it harder for an attacker to use 
dedicated DES hardware to mount an attack. 
Given the current computer resources avail- 
able, a minimum of 5000 iterations for con- 
structing the hash algorithm, is recommended. 

Other Controls 

Compensating controls may be considered 
when an organization cannot meet a technical 
specification of a requirement, but has suffi- 
ciently mitigated the associated risk. The ef- 
fectiveness of a compensating control is de- 
pendent on the specifics of the environment in 
which the control is implemented, the sur- 
rounding security controls, and the configura- 
tion of the control. Organizations should be 
aware that a particular compensating control 
will not be effective in all environments. Each 
compensating control must be thoroughly 
evaluated after implementation to ensure ef- 
fectiveness. For organizations unable to ren- 
der sensitive data unreadable (for example, by 
encryption) due to technical constraints or 
business limitations, compensating controls 
may be considered. 
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The basic conclusion from this analysis is that 
a combination of application firewalls, in addi- 
tion to the use of data access monitoring and 
logging may, if effectively applied, provide 
reasonable equivalency for the use of data 
encryption across the enterprise. Such a 
combination of controls has weak spots how- 
ever, mainly when it comes to preventing 
damage from careless behavior of employees 
or weak procedures in development and sepa- 
ration of duties. 

Only organizations that have undertaken a 
risk analysis and have legitimate technological 
or documented business constraints should 
consider the use of compensating controls to 
achieve protection. Organizations that con- 
sider compensating controls for rendering 
sensitive data unreadable must understand 



the risk to the data posed by maintaining 
readable data. 

Generally, the controls must provide additional 
protection to mitigate any additional risk posed 
by maintaining readable data. Compensating 
controls should consist of a comprehensive 
set of controls covering additional 
segmentation/abstraction (for example, at the 
network-layer), providing ability to restrict ac- 
cess to data or databases based on IP 
address/Mac address, application/service, 
user accounts/groups, data type (packet filter- 
ing), restrict logical access to the database, 
control logical access to the database (provid- 
ing separation of duties) and prevent/detect 
common application or database attacks (for 
example, SQL injection). 



A COMBINATION OF APPLICATION FIREWALLS, IN ADDITION TO THE USE OF 
DATA ACCESS MONITORING AND LOGGING MAY, IF EFFECTIVELY APPLIED, 
PROVIDE REASONABLE EQUIVALENCY FOR THE USE OF DATA ENCRYPTION 

ACROSS THE ENTERPRISE. 



Multiple network segments 

Multiple network segments based in different 
geographic locations may require costly ad- 
ministration. The environment can be difficult 
to administer and sometimes people have to 
break "other" rules to administer effectively. 

Many security/auditing tasks have to be dupli- 
cated for every environment where database 
resides. Database only network segment(s) 
have advantages including centralized entry 
point to manage and monitor all activity, ad- 
ministrative tools can effectively manage 
security/auditing tasks, database environ- 
ments are brought together, in a reduced 
number of environments, in "back office", and 
separate database from application further re- 
ducing access to environments. 

Adequate network segmentation, which iso- 
lates systems that store, process, or transmit 
sensitive data from those that do not, may re- 
duce the vulnerability of the data environment. 
Network components include firewalls, 
switches, routers, wireless access points, 
network appliances, and other security appli- 
ances. 
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Server types include but web, database, 
authentication, mail, proxy, and domain name 
server (DNS). Applications include all pur- 
chased and custom applications, including in- 
ternal and external (Internet) applications. 

Data usage control 

An advanced POS architecture may include a 
"Data Usage Controller" module that acts as a 
sort of intrusion detection system. Its purpose 
is to protect the data by looking for statistical 
anomalies in how a particular site accesses 
the data, and reporting any significant events 
to the Security Administration Server. 

Until the statistical anomaly detection algo- 
rithm has proven itself in this way, it is likely to 
generate a significant number of both false 
positives and false negatives. This is largely 
unavoidable. 

The direct security impact of excessive false 
positives from the Data Usage Controller 
should are small. 



Indeed, a worst case scenario would be if an 
attacker realizes that the Data Usage Control- 
ler is prone to false positives, in which case he 
attempts to flood the Data Usage Controller 
monitoring facility with false positives in order 
to "smoke screen" a real attack elsewhere. 

This attack is not very likely, but should not be 
ignored. If possible the Data Usage Controller 
algorithm should be tested thoroughly during 
the early deployment phases of the POS sys- 
tem. 

Deliberately flooding it across numerous Local 
Security Services and observing the behavior 
at the Central Site, for example, should be 
part of the deployment process. As with any 
IDS-like system, its thresholds will inevitably 
require close attention whenever a new Local 
Security Service is deployed. 

Conclusion 

Common architectural weaknesses that can 
lead to data compromise were identified and 
approaches beyond PCI to safeguard informa- 
tion in a retail environment were discussed. 
Careful balance between business goals and 
security reduce the risk of a compromise that 
can threaten the retail organization's brand 
reputation and business operations. 

Weaknesses discussed here can prove to be 
effective at prioritizing testing attention and 
effort. In other words, the testing, design re- 
view, code review, penetration testing, and 
other processes should be prioritized in order 
to make the most effective use of the available 
development resources. 



Hash algorithms or truncation can be used to 
secure data fields in situations where the data 
is not needed to do business and the original 
value is not required, but unfortunately a se- 
cure hash will be non-transparent to applica- 
tions and database schemas since it will re- 
quire a longer binary data type string than 
symmetric encryption require. An attacker can 
easily build a table to expose the relation be- 
tween hash values and real credit card num- 
bers if the solution is not based on a rigorous 
key management system or scattered by us- 
ing salting. 

An attractive solution to this transparency 
problem can be tokenization supported by a 
rigorous encryption system based on separa- 
tion of duties, secure audit, random key gen- 
eration and protection of keys and credentials. 

The environmental footprint is part of the deci- 
sion process and elements such as power 
utilization, heat generation, physical rack- 
space, and upgrade and disposal strategies 
are all part of the green equation. 

Mature security solutions address the green 
security challenge by delivering software solu- 
tions that operate on existing computing infra- 
structure, typically on the same server as the 
application or database being secured. The 
appropriate level of encryption key protection 
can be achieved by using a well-balanced 
combination of software cryptography and se- 
lective use of small footprint standard com- 
modity type Hardware Security Modules. 

This approach can provide the needed level of 
protection while balancing security, cost, and 
operational needs. 
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Mikko Hypponen is the Chief Research Officer for F-Secure. He led the team 
that took down the world-wide network used by the Sobig.F worm in 2003, 
was the first to warn the world about the Sasser outbreak in 2004 and the first 
to stop the Zotob worm in 2005. Mr. Hypponen has addressed the most impor- 
tant security-related conferences worldwide. He is also an inventor for several 
patents, including US patent 6,577,920 "Computer virus screening". He was 
selected among the 50 most important people on the web in March 2007 by 
the PC World magazine. 



What was the most dangerous piece of 
malware in 2007? Why? 

It was Storm. 

On Friday, January 19th 2007, e-mail mes- 
sages with subject lines based on actual news 
began to circulate. The subject line of "230 
dead as storm batters Europe" coined the 
name Storm. There were in fact dozens of real 
deaths related to European storms during that 
time. 

Using sensationalized versions of real head- 
lines as a template proved to be a very clever 
bit of social engineering and was initially very 
successful. However, during H1 the headline 
technique's success declined as it was re- 
peated too often. So the gang behind Storm 
adjusted their procedures. During the second 
half of 2007 (H2), they have continuously up- 



dated their social engineering tactics. Target- 
ing the U.S. — they have used holidays such 
as Labor Day and seasonal events such as 
the beginning of the National Football League 
(NFL) season. Targeting others — the gang 
keeps up-to-date with popular trends and 
sites. One of their tricks was the promise of 
seeing "yourself" in a supposed YouTube 
video in a message pointing to a fake You- 
Tube site. 

The gang has also altered Storm's infection 
vector as detection of Storm increased and e- 
mail attachments were blocked. Instead of at- 
taching the malware to the e-mail messages 
as before, they spammed messages with links 
to malicious Web pages. When the detection 
of the Web pages increased, they cleaned up 
the pages and instead linked to the malware 
from the page. 
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So the vector evolution moved from e-mail at- 
tachments to Web pages pushing files to Web 
pages linking to files. (And those files are 
modified on the fly...) The evolution continues 
and adjusts as needed. 

It is interesting to note that we have seen 
Frames (inline frames) used by some Storm 
sites offering 16 versions of Storm to U.S. 
based IP addresses rather than the 9 that 
were offered to IP addresses outside the 
United States. Storm is produced in Europe 
but the social engineering has a definite U.S. 
agenda. They appear to have agents on both 
sides of the Atlantic. 

The computers responsible for sending Storm 
spam and for the hosting of Storm's Web 
pages are they themselves part of the Storm 
botnet. And that botnet is rather unique as it 
utilizes peer-to-peer (P2P) protocols. Tradi- 
tional botnets use a centralized approach. If 
the server is located and taken out of service, 
then the botnet's head is decapitated. Storm is 
a collective with no central point to shut down. 
There's no central command-and-control point 
to kill. 



September's Malicious Software Removal 
Tool, part of Microsoft's monthly updates, 
made a dent in the size of the Storm botnet — 
the tool removed a good number of Storm's 
bots during the update process — but the bot- 
net remains and the dent hasn't muted its 
overall strength. 

Another special feature of the Storm botnet is 
that it protects itself. Repeat requests from a 
single source of one particular machine will 
result in many members of the botnet retaliat- 
ing with a Distributed Denial of Service 
(DDoS) attack. Researchers must use caution 
during investigations or the botnet gets ag- 
gressive. 

October brought evidence of Storm variations 
using unique security keys. The unique keys 
will allow the botnet to be segmented allowing 
"space for rent". It looks as if the Storm gang 
is preparing to sell access to their botnet - and 
this finally started to happen for real in Janu- 
ary 2008 when we saw first phishing run done 
with sites hosted in Storm botnet. 



The organized enemy is already affecting the antivirus industry. 
I know analysts who have been threatened. 



What has been the economic impact of 
malware for organizations during the past 
year? Is the overall situation improving? 

I'd love to see the situation getting better... but 
I'm afraid it's getting worse. 

The actual amount of money being made by 
criminal online gangs seems to be impossible 
to measure. But in any case we're talking 
about hundreds of millions of Euros annually. 

Will the rising skill level of malicious uses 
and their grouping into criminal organiza- 
tions ultimately have an impact on the anti- 
malware industry? 

The organized enemy is already affecting the 
antivirus industry. I know analysts who have 
been threatened. People are laying low. Using 
unlisted addresses and so on. 



Microsoft claims that Windows Vista is the 
most secure OS they've produced so far. 
How does it stack up in the real world to 
the assault of assorted malware varieties? 

This is incorrect. Operating system of XBOX is 
certainly more secure than Vista. 

Vista is faring pretty well so far. Majority of the 
attacks are still targeting XP as it has a much 
larger user-base and apparently it's generat- 
ing enough revenue for the attackers. Vista 
attacks will intensify as XP starts to slowly 
fade away. 

5) With Linux and Mac OS X gaining mar- 
ket share among end users, many are 
speculating that this will lead to an in- 
creased influx of malware for those operat- 
ing systems. What's your take on that? 

The year 2007 was a banner one for Apple — 
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their hardware is more popular than ever. 
More Apple hardware equals a greater in- 
stalled base of Apple software. 

DNSChanger trojans have started targeting 
Mac OSX. Social engineering is used to per- 
suade users to enter their admin password for 
the install — not a big problem for clever so- 
cial engineering. Getting a Mac user to type 
his password for an easily installed "video co- 
dec" isn't a significant challenge to overcome, 
at least it hasn't been a challenge for pass- 
word protected Windows malware. And we're 
seeing a growing number of Mac 
DNSChanger variants. The previous lack of 
Mac OSX malware could be a distinct disad- 
vantage for its users. Social engineering can 
short-circuit a false sense of security. 

Apple Mac's market share is now significant 
enough for the Zlob parasites to target, as 
malware gangs don't make an effort to de- 
velop something without the promise of a prof- 
itable return. 

Apple's Safari browser for Windows likely con- 
tributed to this development. Released in mid- 
June, researchers seized upon the Safari for 
Windows Beta and many security flaws were 



discovered. Many of those flaws were mir- 
rored in the Mac version of Safari. 

Web sites pushing DNSChangers determine 
the OS and the browser version being used by 
the visitor. The appropriate version of the 
malware is dynamically provided — visit with a 
Mac and you'll get Mac malware. 

Also, the Apple iPhone is out there. It uses a 
version of Mac OSX, which is in turn based on 
Unix. If you understand Unix security, then 
you can relatively easily "port" your knowledge 
and understanding to the iPhone. 

The iPhone also comes installed with the Sa- 
fari browser and provides full rights to it. With 
the portability of understanding and the known 
Safari flaws mentioned above, coupled with 
the excellent hardware design, focus greatly 
intensified on the iPhone. Including the fact 
that the iPhone is a "locked" device and you 
have a perfect combination of factors leading 
to iPhone exploit research. 

Exploits for the iPhone are sought as a means 
to unlock the device. But in revealing those 
exploits there's a security consequence. The 
first iPhone Trojan was found in January 2008. 



Drive-by-downloads from malicious web pages are going to become 
a larger problem than traditional e-mail malware. 



Is there a universal solution for fending off 
blended threats? What kind of assaults 
should we be on the lookout for? 

Targeted attacks are only going to get worse. 



times a day. Also make sure the products has 
HIPS-like features to protect you against un- 
known malware without relying on signatures 
or heuristics. A good rootkit detector would be 
an important feature as well. 



Drive-by-downloads from malicious web 
pages are going to become a larger problem 
than traditional e-mail malware. 

There's a variety of anti-malware tools on 
the market and everyone claims they are 
the very best. In your opinion, what should 
the end user base his purchasing decision 
on? What are the most important features 
that define such a critical piece of soft- 
ware? 

Look for a tool that works silently in the back- 
ground and gets automatic updates several 



Although there have been many predic- 
tions about malicious code attacking mo- 
bile devices in the past, it hasn't happened 
yet on a large scale. Is there a real possi- 
bility that we will see an outbreak of mal- 
ware on platforms such as Symbian and 
Windows Mobile in the near future? 

We've been working extensively with mobile 
phone vendors and operators to prevent such 
attacks - so far so good. Right now the biggest 
problem seems to be mobile spyware that can 
be used to monitor your activities and to 
eavesdrop your discussions. 
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What was the most dangerous piece of 
malware in 2007? Why? 

The Storm worm, also known as Dref or Dorf, 
was 2007's most disruptive threat - this mal- 
ware family had countless reiterations, a few 
of which are listed below. 

The people behind the Storm attack have 
used a tried-and-tested formula of social engi- 
neering to get people to open their widely 
spammed-out emails and click on malicious 
links. By using topical news stories, or the lure 
of an electronic greeting card, videos and fear 
tactics, the cybercriminals seem to find a 
never-ending stream of unsuspecting users 
prepared to click without thinking twice. 

The campaign started with a Happy New Year 
message first seen on 30 December 2006. It 
hit email systems hard in the last two days of 
2006, posing as an electronic greeting cele- 
brating the new year. With subject lines such 
as "Happy New Year!", "Fun Filled New Year!" 



and "Happy 2007!", the worm spread via email 
with a malicious executable attachment. 

Late in January 2007, the Storm worm turned 
to love in a major new attack. Attached to the 
emails were files called postcard.exe or 
greetingcard.exe, taking advantage of the up- 
coming Valentine's holiday. 

Throughout 2007 Storm was aggressive about 
taking advantage of public holidays. For ex- 
ample, a campaign that posed as a 4th July 
greeting card, was heavily spammed out. 
Clicking on the link took surfers to a compro- 
mised zombie computer hosting the Troj/ 
JSEcard-A Trojan horse. 

In August of last year, Storm used a wave of 
malicious emails which posed as links to You- 
Tube videos. The emails encouraged recipi- 
ents to click on a link to download an online 
movie. Another August variant of Storm used 
the promise of music videos of popstars to get 
recipients to visit a hacked web page. 
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The infected page contained a malicious script 
and a Trojan horse designed to turn the user's 
PC into a compromised zombie. 

Late last year saw cybercriminals change tac- 
tics, as they started to use fear to get people 
to click on an attachment. The emails claimed 
that the sender was a private detective listen- 
ing to the recipient's phone calls. The 'detec- 
tive' claimed that he would reveal who had 
paid for the surveillance at a later date, but for 
the meantime the user should listen to what it 
purported was an attached recording of a re- 
cent phone call. This attachment was in fact a 



malicious executable program, designed to 
install malware, along with a piece of scare- 
ware to trick people into buying bogus security 
software for their computer. 

But at the very end of the year, the authors of 
the Storm worm returned to their old favorite - 
taking advantage of the seasonal spirit. First, 
in early December, new versions of the Storm 
worm were spammed out, using the lure of 
Santa Claus's wife doing a striptease. These 
were followed at the end of the month with a 
return to Happy New Year e-cards which con- 
tained links to websites hosting malware. 



THE MALWARE THREAT HAS EVOLVED OVER THE LAST 20 YEARS, 

AND WILL CONTINUE TO DO SO 



What has been the economic impact of 
malware for organizations during the past 
year? Is the overall situation improving? 

Organizations are worried about being in- 
fected and the cost of recovery. The overall 
numbers and range of types of threats contin- 
ues to increase. A major change in 2007 has 
been the increasing concern about data loss. 

Countless news stories, from TJ Maxx losing 
details of around 90 million customers over a 
two year period, and the November debacle of 
HMRC losing sensitive data of 25 million fami- 
lies in Britain, goes to show that even large 
organizations are at risk. 

In a Sophos poll, 70 percent of people were 
worried about losing sensitive data via email. 
In another poll, more than 60 percent were 
worried that their employees are a concern 
when it comes to data theft. 

Will the rising skill level of malicious uses 
and their grouping into criminal organiza- 
tions ultimately have an impact on the anti- 
malware industry? 

The malware threat has evolved over the last 
20 years, and will continue to do so. The same 
is true of threat protection - over the last few 
years there has been a fragmented approach 
to a fragmented threat. 



Sophos recognized early that the various 
threats that we see today are all elements of 
the same overall threat. 

The industry's solution has been to follow a 
comprehensive integration route, involving in- 
tegrating analysis and protection against vi- 
ruses, worms, spam and Trojans, deploying 
the appropriate combination of techniques in 
the appropriate mixture to contain threats 
without impeding productivity. However, it is 
inevitable that those with malicious intent will 
evolve their techniques as well. 

Microsoft claims that Windows Vista is the 
most secure OS they've produced so far. 
How does it stack up in the real world to 
the assault of assorted malware varieties? 

Microsoft talked a lot about security when 
Vista was released. New features such as 
Patchguard and User Account Control help to 
improve security and Internet Explorer 7 simi- 
larly contains enhanced capabilities. 

However, Microsoft's problem remains that it is 
the biggest target, and attackers will continue 
to find and exploit vulnerabilities. 

Many of those vulnerabilities are not in the 
OS, but in the users. Most malware has al- 
ways relied on social engineering to get the 
user to let it run - Vista doesn't change that. 
Any general purpose OS will always be vul- 
nerable, particularly if users are allowed to in- 
stall and run any application they choose. 
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With Linux and Mac OS X gaining market 
share among end users, many are specu- 
lating that this will lead to an increased in- 
flux of malware for those operating sys- 
tems. What's your take on that? 

Linux and Mac OS X are not fundamentally 
less vulnerable to malware than Windows, and 
it is right to suggest that they haven't been 
targeted as much because of their lower mar- 
ket share. So, as that share increases, their 
exposure increases and I anticipate that the 
threat will increase. In practice this is likely to 
be marginal, as Windows will continue to 
dominate the market for the foreseeable fu- 
ture. 

However, it is still necessary to protect non- 
Windows PCs in an enterprise environment, to 
ensure that Windows malware does not get 
left on those machines, re-infecting at will. In 
addition, we may also see an increased tar- 
geting of these platforms as Windows security 
continues to improve - attackers will always go 
for the easiest target. 

An additional trend is likely to be for OS- 
independent threats. Script/HTML based 
threats will run on any platform, and the vul- 
nerability remains the same... the user! 



The CSO is becoming increasingly aware 
of the dangers posed by careless users 
that introduce malware into the network by 
using portable storage devices. What can 
be done in order to mitigate this kind of 
risk? 

The user is a critical vulnerability on a number 
of fronts, however portable storage devices 
shouldn't be a problem for malware introduc- 
tion. The key here is that perimeter-based pro- 
tection is not a viable solution. As our net- 
works become ever more open and consumer 
technologies (iTunes, cameras, PDAs, smart- 
phones, USB storage, IM etc) are increasingly 
used at work, it is critical that malware protec- 
tion is tackled on the PC itself. Centrally man- 
aged endpoint security will handle threats, 
whether they're coming from email, web down- 
loads, CDs, or USB keys. In many organisa- 
tions it may not be possible to mandate ex- 
actly which security software is in place, par- 
ticularly for contractors and partners connect- 
ing to the network, but it's still possible to 
mandate and verify that a security product 
must be installed and up-to-date. 

The threat around portable storage devices 
relates to disclosure of the data stored on 
them. That's where we should be focussed, 
when discussing USB keys and iPhones. 



LINUX AND MAC OS X ARE NOT FUNDAMENTALLY LESS VULNERABLE TO 

MALWARE THAN WINDOWS 



Is there a universal solution for fending off 
blended threats? What kind of assaults 
should we be on the lookout for? 

The key is to recognize that we're not facing a 
set of distinct threats, but an ever increasing 
range of variations. We all started with anti- 
virus, and when the spyware problem 
emerged, a set of new products appeared. 
That was never going to deliver effective pro- 
tection. 

Users shouldn't have to be experts at choos- 
ing anti-virus, anti-spyware, anti-spam, HIPS 
and personal firewalls. These are all part of 
the same problem, and it is our job to be secu- 
rity experts, determining which technology to 
use at which times. 



Integrated endpoint security solutions must be 
the way forward. Not suites, but integrated so- 
lutions that can blend the techniques and 
technologies they use as the threat varies in 
real-time. 

There's a variety of anti-malware tools on 
the market and everyone claims they are 
the very best. In your opinion, what should 
the end user base his purchasing decision 
on? What are the most important features 
that define such a critical piece of soft- 
ware? 

End users and administrators should not be 
getting into the details of individual technolo- 
gies. They need to have a clear view of the 
problem that they're really trying to solve and 
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be asking for a comprehensive security solu- 
tion. It's always been difficult for users to test 
the effectiveness of the products they buy and 
it's getting more difficult. I haven't seen any 
independent tests that match real-world pro- 
tection recently, and the lab-based statistics 
we see are increasingly meaningless. 

Most people therefore focus on service, repu- 
tation and manageability. That's where you 
should be. You're not buying a set of products, 
or buzzwords, but a service. Make sure that 
your vendor is looking at the whole problem 
and has the visibility into the whole range of 
threats - malware, email, web. 

Security is evolving all the time, in response to 
both threat changes and IT use changes. To- 
day's products can not only protect against 
malware, but manage the use of unauthorized 
software and enforce a range of user policies. 

Although there have been many predic- 
tions about malicious code attacking mo- 
bile devices in the past, it hasn't happened 
yet on a large scale. Is there a real possibil- 
ity that we will see an outbreak of malware 
on platforms such as Symbian and Win- 
dows Mobile in the near future? 

The predictions about an imminent mobile de- 
vice threat have always been hype. That re- 
mains the case today. The devices are cer- 
tainly not invulnerable - there are a few hun- 
dred examples of mobile device malware, but 
they're not spreading for two main reasons. 

Firstly, the mobile device OS market is frag- 
mented. Malware aimed at PCs is almost cer- 
tain to hit a Windows PC, which will be com- 
patible with all the others. Malware aimed at 
mobile phones has to pick out not only the 
phones from other devices, but then the small 
percentage of smartphones, which is further 
subdivided into Symbian, Microsoft and 
Blackberry. In other words, the homogeneous 
environment that facilitates malware spread in 
the PC world doesn't exist for mobile devices, 
even if the absolute numbers seem large. 

Secondly, many of the mobile device operating 
systems have better security than Windows, 
using techniques like application signing to 
restrict unknown applications. The key here is 
that while these systems may be general- 



purpose computing platforms, they're not used 
in that way. Most devices are used to perform 
a narrow set of functions, with surprisingly little 
device to device communication, beyond voice 
and SMS. 

As the market continues to evolve, we need to 
keep monitoring it and thinking about security. 
The situation could change, but not with the 
current generation of devices. As I said earlier, 
the real threat is about disclosure, accidental 
or deliberate, of confidential data stored on 
these devices. That exposure primarily comes 
through the loss of the device itself. 

What kind of evolution do you expect in 
the near future when it comes to malware 
in general? Do you expect increased oc- 
currences of ransomware? What will 
probably be the next big threat? 

Today's typical hacker has been caught by 
greed disease. Not only can they steal infor- 
mation for the purposes of identity theft, they 
can also use the infected machines as part of 
a botnet or zombie army, allowing them to ac- 
cept payment for hitting websites and bringing 
their servers down, or even to send out spam 
messages. 

Behind many of today's attacks, there are 
huge cyber gangs that pay hackers to carry 
out this kind of work. Rather than write new 
pieces of malware - why reinvent the wheel? 
They use existing malware and try to obfus- 
cate it through encryption and packing tech- 
niques. The other advantage is that they can 
send out tons of malware - Sophos sees about 
1 0,000 pieces of malware each week, all de- 
signed to fool security filters and bypass them 
without being detected. 

Today's main threat is not the geeky teenager, 
but a member of a large criminal gang intent 
on stealing cash and sensitive information. 
What is going to happen tomorrow? Who will 
the hackers be? We can't see them leaving 
the money trail any time soon. After all, how 
many infected with greed do you see throwing 
in the towel to be free and happy once again. 

That's right - it's only in the movies. 



www.insecuremag.com 



128 





Interview with Raimund Genes, 
CTO of Anti-Malware at Trend Micro 

By Mirko Zorz 



Raimund Genes, CTO Anti-Malware, has been with Trend Micro since 1996. 
Genes has worked in the computer industry since 1978. As a well-known IT 
expert, Genes has published many articles in security-related magazines. 



What was the most dangerous piece of 
malware in 2007? Why? 

There is no single piece of malware which 
could be named as the most dangerous one. 
Malware is tricky and silent these days and 
every day thousands of new variants are re- 
leased. AVtest.org, independent testing or- 
ganization for Anti-Virus Software added 
225,000 new samples in June 2007 to their 
database (tinyurl.com/32vnlr). 

At the end of 2007 we saw around 400,000 
new malware per month. In terms of clever- 
ness engineering of malware, I would claim 
that in 2007 the best written malware family 
was NUWAR. 

What has been the economic impact of 
malware for organizations during the past 
year? Is the overall situation improving? 

Global outbreaks are over; this is why little is 
written about financial impacts due to mal- 
ware. But 2007 was a record year in terms of 
malware spreading, and in terms of data theft. 



Organizations might believe that thanks to 
their investments in security, the situation is 
improving. But that's wishful thinking! Malware 
attacks are affecting every organization, no 
matter what size. Nevertheless, malware writ- 
ers don't have any interest that their attacks 
are discovered. They don't want any public 
attention so a report of an outbreak by the 
media is bad for cybercriminals. 

Will the rising skill level of malicious uses 
and their grouping into criminal organiza- 
tions ultimately have an impact on the anti- 
malware industry? 

It already has an impact. Anti-malware com- 
panies have to invest a lot to cope with the 
amount of new malware. They have to work 
on new technologies to provide adequate pro- 
tection for their customer base. 

Microsoft claims that Windows Vista is the 
most secure OS they've produced so far. 
How does it stack up in the real world to 
the assault of assorted malware varieties? 

Microsoft Vista of course is the most secure 
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OS they have produced so far. But what does 
this say about their former operating systems 
like XP, which are still used everywhere. Vista 
indeed could be configured/used in a way, 
where it protects against most of nowadays 
malware, but the users will be confronted all 
the time with system warnings. And in a cor- 
porate environment, a system warning means 
a call to the helpdesk. That's why a lot of 
companies can't use UAC (User Access Con- 
trol). 

End-users are annoyed after a few days and 
click always on yes or disable UAC as well. 
And let's face it. If a user wants to download 
dancing skeletons for Halloween (a recent 
malware trick), the user will ignore all the 
warning messages, cause he wants to exe- 
cute the application. The weakest link is al- 
ways the human being, and with clever social 
engineering the cybercriminals are able to fool 
the average user, no matter what operating 
system is used. 

With Linux and Mac OS X gaining market 
share among end users, many are specu- 
lating that this will lead to an increased in- 
flux of malware for those operating sys- 
tems. What's your take on that? 

Thanks to the uptake of alternative operating 
systems, especially Mac OS X, we already 
see malware which has been ported from 
Windows to Mac OS X. Mac OS X by design 
is more difficult to infect, but as mentioned 
above, with clever social engineering you 
could lure a Mac user to download a VIDEO 
CODEC, which is malware. 

Linux is not on the radar for the malware in- 
dustry yet, because it is seldom used as a 
desktop operating system. Linux users nor- 
mally know a lot about computers and soft- 
ware (so they spot malware more easy than 
the average user). Most importantly, Linux has 
a lot of different builds/kernels/recompiled 
versions so there isn't a monoculture which is 
easy to attack. 

In the past, the monoculture and low security 
have been the reasons why Microsoft is the 
number one target. With increased popularity 
of Mac OS X, this platform could be a high 
profile target as well. And while under Win- 
dows, malware is written for financial gains, 
under Mac OS X, it could be written just to 



show off - that's what the virus writers did in 
the past (David L Smith with Melissa, Onel de 
Guzman with ILOVEYOU, Sven Jaschan with 
Sasser - they did it to show off, not for finan- 
cial gains). So what about a malware which 
unlocks your iPhone... and at the same time 
converts the iPhone into a bot! 
The CSO is becoming increasingly aware 
of the dangers posed by careless users 
that introduce malware into the network by 
using portable storage devices. What can 
be done in order to mitigate this kind of 
risk? 

Strict policies and policy enforcement can 
mitigate risk. It is possible to block USB ports 
by changing the HW settings and by software 
which only allows registered USB HW. But the 
CSO should not be concerned too much about 
portable storage devices. He should be con- 
cerned about notebooks. Most of his users 
might be mobile within his organization, they 
might work from home or from a hotel. So 
what if their notebook is stolen, hacked, in- 
fected while the user is on the road? The best 
way to protect the users and the intellectual 
property of a company is to monitor and re- 
strict the flow of information. It is about defin- 
ing who could do what with certain data. Most 
CSO's think about implementing Data Leak 
Prevention technologies (DLP). But DLP at 
the gateway or within the Intranet is not good 
enough. That's why DLP solutions need to be 
installed on every notebook/computer as well, 
to ensure DLP for mobile users. 

Is there a universal solution for fending off 
blended threats? What kind of assaults 
should we be on the lookout for? 

Unfortunately there is no universal solution 
against blended threats. A combination of se- 
curity solutions is needed to block these 
threats, firewalls, anti-malware, strict user 
policies, anti-spam, Web reputation/URL filter- 
ing just to name a few. 

What worries me is that more and more em- 
ployees are participating in social networks, 
and they reveal too much about their private 
and business life. Based on this it is very easy 
to craft a spear phishing attack against one or 
a few employees of a company, and this then 
leads to a successful infiltration of a company 
network. 
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There's a variety of anti-malware tools on 
the market and everyone claims they are 
the very best. In your opinion, what should 
the end user base his purchasing decision 
on? What are the most important features 
that define such a critical piece of soft- 
ware? 

There's no best for everyone. It really de- 
pends on what the user cares about. There 
are some AV solutions out there scoring well 
against millions of malwares in tests by using 
multiple scan engines. But they are almost not 
usable because they slow down the system 
too much and they create tons of false posi- 
tives. There are other solutions that provide 
good protection - but in case an infection oc- 
curs (and no AV vendor could protect against 
all threats), there's no vendor helpdesk, or the 
helpdesk is not able to do remote diagnostics/ 
removal of malware. 

The criteria's for me are: 



machine is infected with a keylogger/spambot 
or something else sinister, as long as the 
malware author is not too greedy. That's to- 
tally different to smartphones. Smartphones 
are heterogeneous devices, relying on differ- 
ent operating systems (Symbian, Windows 
Mobile, Linux, Mac OS). These operating sys- 
tems are tuned to specific phones, so one 
malware might infect only one series of Sym- 
bian smartphones. And this is not attractive for 
the malware industry. So the probability of a 
wide spreading malware for mobile devices is 
low. Actually Trend Micro has interviewed 
several companies, why they are buying mo- 
bile security solutions. 

And the priority has been: 

1. Encryption (risk of lost and stolen devices 
with confidential information on it) 

2. Firewall (WIFI enabled smartphones could 
be hacked easily - again, loss of confidential 
information is the driver) 

3. Antivirus 



• Detection rate above 90% - Avtest.org and 
others are conducting these detection rate 
tests on a regular basis. 

• Low system impact in terms of system per- 
formance. 

• Additional technologies besides pattern 
matching based on signature updates. URL 
filtering/Web reputation/firewalling/behavior 
analysis are a must have for a security suite. 

• Malware knowledge - An established player 
with a long history in the security industry and 
with the financial muscles to compete with the 
malware industry. 

• New protection and update methods like in- 
the-cloud reputation check/ community col- 
laboration systems. 

Although there have been many predic- 
tions about malicious code attacking mo- 
bile devices in the past, it hasn't happened 
yet on a large scale. Is there a real possi- 
bility that we will see an outbreak of mal- 
ware on platforms such as Symbian and 
Windows Mobile in the near future? 

The malware writers are making money with 
malware nowadays. A typical PC system is 
Windows based (monoculture) and is using 
DSL Flatrate to communicate with the Inter- 
net. It is an easy pray, and the average user 
will not recognize for months/years that his 



Naturally companies want a combination of 
these three functionalities in one package, to 
avoid the installation of multiple security 
agents. 

What kind of evolution do you expect in 
the near future when it comes to malware 
in general? Do you expect increased oc- 
currences of ransomware? What will 
probably be the next big threat? 

It is really a malware evolution, no malware 
revolution. The malware industry has figured 
out how to make money with malware the last 
two years, so why should they completely 
change their business model? The malware 
industry has realized that it is not beneficial if 
an infection is detected too early 
(Monster.com attack, The Italian Job), so I ex- 
pect more silent killers, malware which is 
unique and has a delay before it starts mali- 
cious activities. 

Ransomware creates too much media atten- 
tion, and by following the money it is relatively 
easy to figure out who is behind it. A threat for 
all of us is the fact that by combining hundred 
thousands of computers with a Botnet, a large 
scale attack on the infrastructure of a country 
is possible nowadays. 
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